-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 7/3/2014 1:40 PM, Kali Tor wrote: > > > > > >> On Thursday, July 3, 2014 9:11 AM, Mike Cardwell >> <[email protected]> wrote: >>> * on the Thu, Jul 03, 2014 at 10:02:06AM +0200, Lunar wrote: >> >>>>> I have done all that, so covered on that aspect. Was >>>>> wondering if >> disk encryption and use of something like TRESOR would be >> useful? >>>> >>>> The private keys for the node are sensitive, and even the >>>> .tor/state file for the guard nodes could be if the attacker >>>> does not already have that info, same for any non default >>>> node selection stuff in torrc. Tor presumably validates the >>>> disk consensus files against its static keys on startup so >>>> that's probably ok yet all easily under .tor anyway. >>> >>> Some says that it's better to leave the disk unencrypted >>> because in >> case >>> of seizure by the police, they can easily attest that the >>> system was only running Tor and nothing else. >> >> Even if it's encrypted, you can easily attest the exact same >> thing by handing over your password... If you choose to do so. >> >> >>> Some disagrees and says that we should always encrypt to make >>> tampering and (extra-)legal backdoor installation more >>> difficult. >>> >>> I believe the best strategy has never been really determined so >>> far. >> >> I know of only two benefits to not encrypting. >> >> 1.) On some systems, for some workloads, you might have some >> level of improved performance. For a Tor node, I doubt there is >> any noticable difference. >> >> 2.) You can reboot without having to enter a password. >> >> Encryption gives you choice. The choice to hand over your >> password/key or not. As far as I'm concerned, "the best strategy" >> *has* been determined and it's to encrypt... > > Thanks for the discussion on this. > > If disk encryption is indeed the way to go, how many of the node > operators do actually encrypt the disk? Has there been any > performance issues? I ask specifically because I run in a VPS where > resources are limited (compared to a proper machine). > > - kali- > > _______________________________________________ tor-relays mailing > list [email protected] > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >
Depends, what configuration will that virtual machine have? You shouldn't notice too big of a difference, full disk encryption is not a resource killer on any configuration. - -- s7r PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJTtTopAAoJEIN/pSyBJlsR9lkIAIYVigtTOYcYeihEJLx8yWs+ WRc/1p9u/YuSA62enSpqkuYYOtvMLsJiGtdRzr66kyrIqgifIStOAyTkd2un+QLq nRl2OY/jmhwg0EM0EGpdzDo9qMzEPpDOfRtoJhotnB+0Aurl8Bt6PuNhSezY3a3X VUmKaNf13SCyqyiB3cty+/gpSpTrQRoCH0lV/QtrMvHo8KqOknSbRa7LyylDz6Wv fH6C8UnIU6ueL2RxRV8h+cIla52mRJStv2LWO3+IqFBnGPrbFlZks7OjYaY74nEI r3YMg7dDgy9jT7QuL2LIBxGKsXAdDEeww+xLtbd1KRlYwt6W+JHtbVkhpO3Yfic= =3pg1 -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
