Hi,

I'd like to highlight a "new" security feature in the expected upcoming tor stable release:

offline master keys

I'm posting this here now - before the actual release - because if you upgrade without thinking about this feature your ed25519 master key will be generated the first time tor 0.2.7.x starts up and at that point in time it might be already to late for the - 'master key never touched my online relay' - option.

Why are offline master keys better then online master keys?

- you can keep the key under your control while using (semi-trusted) hosting providers - impact of relay compromise or seizure is less fatal and limited in time (default worst case: 30days) - the bad guys have to come back every 30 days to steal your keys again

The default expiry for signing keys is 30 days but can be configured (torrc).

It is also important to note that if you enable this feature your relays need more care (depending on how you configure key expiry). If you forget about it and the signing key expires your relay will shutdown. Something that will be noticed by a relay operator monitoring its relays and bw usage.

Even if you are running 0.2.7.x already you can make use of this feature by moving your master key from the relay to an offline system + torrc configuration.

Documentation is currently a bit light but s7r is working on improving it. https://trac.torproject.org/projects/tor/ticket/16645 related tor-dev thread: https://lists.torproject.org/pipermail/tor-dev/2015-November/009905.html

ansible-relayor will eventually support offline master keys but it will take some time until tor 0.2.7.x reaches all platforms including OpenBSD. A first (unreviewed) poc has been committed in a dedicated branch.

https://github.com/nusenu/ansible-relayor/commit/2c4040df7848f382ced02b43f35...

Automation is key in making this feature usable (with short key expiry).

You might want to consider this feature - especially if you run a significant portion of the tor network.