[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Decommissioning a FallbackDir node (punki)



No problem.

You should default to full disk / partition encryption.

The ArchLinux Wiki has (as usual) a great article on this:

https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encrypting_devices_with_cryptsetup

Also make sure to not use the standard hash library (SHA256) but SHA512 instead, and also use argon2id as PBKDF as it's slower and thus harder to brute-force your boot password.

This way your new provider will not be able to obtain your new keys.

Also, even if the old provider did indeed dump your HDD a while ago, 

the first / "real" relay to boot up with one descriptor / secret_key gets favored, the other / "fake" I believe I read a while back will not be allowed on to the network, but take this with a grain of salt.

-GH

On Friday, October 4th, 2024 at 11:51 PM, Osservatorio Nessuno via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx> wrote:

> Hi,
> thanks both for your input.
> 

> 

> On 03/10/2024 21:24, boldsuck via tor-relays wrote:
> 

> > But:
> > FallbackDir can also move to another provider/host. Simply copy the Tor keys
> > of the instance to the new host. I've done that several times.
> 

> 

> While we could, I would think it is not a great security practice
> migrate keys that were on an old, non updated provider cluster when
> building a new node elsewhere. That would double the risk of someone
> else having the secret keys (old provider, new provider instead of just
> the new provider).
> 

> Giulio
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Attachment: publickey - hartley_george@proton.me - 0xAEE8E00F.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays