[tor-relays] Encrypting the DataDir

[Cristian Consonni]

Hi,

thanks everybody for your replies.

On 30/05/2017 15:52, dawuud wrote:
> Is there a clear threat model justifying use of disk encryption here?

On 30/05/2017 15:52, dawuud wrote:> The decryption keys sit in system
memory so an adversary with physical
> access will surely win. I just don't see the point.
On 30/05/2017 20:30, tor wrote:
> I also don't understand the point of encrypting this directory.

On 30/05/2017 20:40, diffusae wrote:
> Me too not.
>
> If the machine is running, the content is always unencrypted.

On 31/05/2017 02:41, teor wrote:
> On a relay, the most sensitive content is in DataDir/keys.
> You could encrypt that if you want to protect your keys when your
> relay is powered off.

I was asking mostly out of curiosity, I do not have a specific threat in
mind, but I was following the scenario "node is seized" like it has
recently happened for some of the relays and was announced on this
list[1a][1b].

My relays are running as VPSes on a third-party provider, so - yeah -
they are exposed to attacks from the providers themselves. But I have to
trust them in any case, anyhow, don't I?

I understand that what I am getting is very limited. It basically works
if the provider decides to shut down the machine or I am able to shut
down the machine before it is seized/analysed.

And again, if I know (i.e. I am notified) that the machine is seized,
whether it is running or not I can always write here to ask that node to
be cut out of the network.

So, the difference is that *if* the machine is shut down before it is
inspected then I just have a little more time to ask for the node to be
removed. Is this correct?

In the end, probably this is quite some hassle for very little gain.

On 31/05/2017 02:41, teor wrote:
> Or you could use OfflineMasterKey for the ed25519 keys, which is
> even safer. (But doesn't do anything for the RSA keys.)

I will probably set up the OfflineMasterKey (I still have a couple of
questions, see the other thread).

> I wouldn't bother encrypting the entire DataDir, it contains
> consensuses and descriptors, and (as of 0.3.1) will contain consensus
> diffs and compressed consensuses, so it will get a bit larger.
>
> The most sensitive part is probably the state file, but a relay's
> guards are not that sensitive.

Encrypting the whole DataDir seemed to me the only viable configuration
given that in torrc you can only specify where the DataDir is.

Cristian

[1a]: https://lists.torproject.org/pipermail/tor-relays/2017-May/012281.html
[1b]: https://lists.torproject.org/pipermail/tor-relays/2017-May/012406.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20170531/bab01bc2/attachment.sig>