[tor-relays] FreeBSD 11.1 ZFS Tor Image

Conrad Rockenhaus conrad at rockenhaus.com
Sat Mar 3 22:27:33 UTC 2018



On 03/03/2018 04:27 AM, Moritz Bartl wrote:
> On 03.03.2018 07:11, Roger Dingledine wrote:
>> Apparently the link from my blog post, to
>> https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines
>> no longer has any mention pro or con disk encryption. I wonder if that
>> was intentionally removed by the torservers.net folks (maybe they have
>> even changed their mind on the advice?), or if it just fell out because
>> it's a wiki.
> I added the recommendation for "no disk encryption" back then, and it
> wasn't me who removed it.
>
> My own opinion has changed slightly: My general advice would still be to
> not do disk encryption, to reduce the amount of hassle and allow easier
> 'audits'. For additional protection, you better move the relay keys to a
> RAM disk.
>
> However, in our case, we don't really care how long they keep the
> machines for analysis, and we do not reuse hardware that was seized (it
> goes back into the provider pool, so some other customer might be in for
> a surprise...). In that case, a relay operator may decide to use disk
> encryption for integrity reasons: They at least have to ask you for the
> decryption key and cannot silently copy content or easily manipulate the
> file system.
>
Personally, I think entire disk encryption just to protect the keys is
way too much of a hassle. I completely agree with your solution - place
the keys in a ramdisk, that's actually a great idea. I'll put that into
what I'm building up right now.

Regards,

Conrad Rockenhaus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x424F4C61.asc
Type: application/pgp-keys
Size: 2387 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180303/8b43bb87/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180303/8b43bb87/attachment.sig>


More information about the tor-relays mailing list