-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 11/19/2015 12:19 AM, nusenu wrote:
background: I might want to integrate offline master key functionality into ansible-relayor [1].
I added (preliminary) OfflineMasterKey support to ansible-relayor [1] - in fact it will become the only option eventually as it make many things actually simpler, would be great if someone could take a look and let me know whether it looks reasonable.
The security critical parts are probably - key generation [2] - copying of key material to the relay [3]
I copy/expose the following files to the relay:
[ 'ed25519_master_id_public_key', 'ed25519_signing_cert', 'ed25519_signing_secret_key', 'secret_id_key', 'secret_onion_key', 'secret_onion_key_ntor']
When first setting up (new relay) or restoring the relay, yes. But when only renewing the ed25519 medium term signing key (if ansible-relayor will support this) you only need to copy/expose the following files to the relay:
ed25519_signing_cert, ed25519_signing_secret_key
If you also move secret_onion_key and secret_onion_key_ntor, it could mess Tor's internal automated key rotation, and the descriptors available to clients might become invalid, making it impossible for clients to extend circuits through this relay. That's why Tor keeps a .old version of these keys when rotating, so clients with older descriptors won't experience circuit failures when using this relay.
To detect this, either the user will let ansible-relayor know if he is setting up a new relay / restoring a relay or just renewing the ed25519 keys for a running relay, either read Tor's $datadirectory/keys folder and if secret_id_key exists, assume the latter.
[1] https://github.com/nusenu/ansible-relayor/commit/2c4040df7848f382ced02b43f35...
[2]
https://github.com/nusenu/ansible-relayor/blob/2c4040df7848f382ced02b43f35ca...
[3]
https://github.com/nusenu/ansible-relayor/blob/2c4040df7848f382ced02b43f35ca...