[tor-bugs] #16645 [Tor]: Write guide about using offline ed25519 keys on relays
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jul 28 00:42:11 UTC 2015
#16645: Write guide about using offline ed25519 keys on relays
------------------------+---------------------------
Reporter: asn | Owner:
Type: task | Status: new
Priority: normal | Milestone:
Component: Tor | Version: Tor: 0.2.7
Resolution: | Keywords: tor-relay doc
Actual Points: | Parent ID:
Points: |
------------------------+---------------------------
Comment (by s7r):
I will start to write an easy and complete FAQ. My concern is with people
not reading it more than how to write it. I want to make sure that if
someone wants to use this feature, he read the documention _before_ (which
is why I want to keep the FAQ page small, simple, explicit even for non
technical people, so that it will be read entirely).
Can we create an ascii-armor version of the encrypted ed25519 master id
key easily?
I would like to offer the possibility to store it in as many different
places as possible: sending it in an email, printing it in a QR code or
saving a small image of the QR code somwhere, storing it in a cloud
service (maybe with an optional additional layer of PGP encryption for
operators who also use PGP). Given the fact that most of relays are
probably run in datacenters, I don't think many operators can plug a
storage media in the servers and cut/paste the key, so they will have to
export it thorugh the internet via a secure channel.
While discussing with nickm usuability, I was thinking to make Tor ask
some questions when started (no ed25519 key found, generate one? encrypt
it? what SigningKeyLifetime? [...]) and to make it also at the same time
noninteractive, use the defaults if no input from the user within 'n'
seconds. Thinking more about this approach, I don't think it would be a
great idea, as it would require more code and will also maybe make the
operator 'curious' and probably use the feature without reading the entire
documentation or understanding how it works exactly. Operators playing
with this feature in a wrong way will affect the network in a bad way. If
an operator is interested into using this feature, a big clear FAQ / HOWTO
page will be available and we should limit the possibility for someone
using this feature without knowing about it or reading the instructions.
I see 3 major points an operator needs to pay attention to:
- Don't forget to attend to the relay within the SigningKeyLifetime period
and create a new signing key + cert. Keeping the master ID key offline
will not work for relays which run for long time unattended. Better not
use this feature if you don't have time to attend to the relay as required
by the SigningKeyLifetime period;
- Don't lose the master id key - save backups in multiple places.
Understand that losing this means losing the identity of the relay
forever. Would require to start a new fresh relay from scratch;
- Use a strong password and remember it;
(maybe) don't even allow to use silly passwords like and require min. 8
chars length, at least one upper case, one lower case, one number and one
symbol. The tradeoff with this is that we could force the operator to use
a more complicated password which will be easier to forget (and forgetting
the password == losing the master id key forever).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16645#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list