Hi,
thanks everybody for your replies.
On 30/05/2017 15:52, dawuud wrote:
Is there a clear threat model justifying use of disk encryption here?
On 30/05/2017 15:52, dawuud wrote:> The decryption keys sit in system memory so an adversary with physical
access will surely win. I just don't see the point.
On 30/05/2017 20:30, tor wrote:
I also don't understand the point of encrypting this directory.
On 30/05/2017 20:40, diffusae wrote:
Me too not.
If the machine is running, the content is always unencrypted.
On 31/05/2017 02:41, teor wrote:
On a relay, the most sensitive content is in DataDir/keys. You could encrypt that if you want to protect your keys when your relay is powered off.
I was asking mostly out of curiosity, I do not have a specific threat in mind, but I was following the scenario "node is seized" like it has recently happened for some of the relays and was announced on this list[1a][1b].
My relays are running as VPSes on a third-party provider, so - yeah - they are exposed to attacks from the providers themselves. But I have to trust them in any case, anyhow, don't I?
I understand that what I am getting is very limited. It basically works if the provider decides to shut down the machine or I am able to shut down the machine before it is seized/analysed.
And again, if I know (i.e. I am notified) that the machine is seized, whether it is running or not I can always write here to ask that node to be cut out of the network.
So, the difference is that *if* the machine is shut down before it is inspected then I just have a little more time to ask for the node to be removed. Is this correct?
In the end, probably this is quite some hassle for very little gain.
On 31/05/2017 02:41, teor wrote:
Or you could use OfflineMasterKey for the ed25519 keys, which is even safer. (But doesn't do anything for the RSA keys.)
I will probably set up the OfflineMasterKey (I still have a couple of questions, see the other thread).
I wouldn't bother encrypting the entire DataDir, it contains consensuses and descriptors, and (as of 0.3.1) will contain consensus diffs and compressed consensuses, so it will get a bit larger.
The most sensitive part is probably the state file, but a relay's guards are not that sensitive.
Encrypting the whole DataDir seemed to me the only viable configuration given that in torrc you can only specify where the DataDir is.
Cristian
[1a]: https://lists.torproject.org/pipermail/tor-relays/2017-May/012281.html [1b]: https://lists.torproject.org/pipermail/tor-relays/2017-May/012406.html