How exactly do I backup my relay's identity keys?

I use a laptop to connect to a server in the cloud to run my tor relay and I wanted to download my relay’s master key off the server. I tried searching online for answers and all I can find is vague information about backingup keys. I would like to know the commands used to download them to the laptop or if its even possible to do.
Thanks for the help

https://community.torproject.org/relay/setup/post-install/
There you find the directory you have to backup.
To give a more specific answer or even a working command we have to know a bit more about your setup. Which os, how do you connect to your server etc.

They keys are located in /var/lib/tor/keys.
You can use WinSCP to connect to the server and download the keys locally

Hi check out this link from the Tor Project Community.

Read number 9 Maintaining a relay - Backup Tor Identity Keys
https://community.torproject.org/relay/setup/post-install/
Hope this helps :smiley:

First of all try to understand, what you are doing (I might have made a typo or mistake, even if I’m trying not to) → it will help you in the end.

10.10.10.10 ← The server you tor is running now.
12.12.12.12 ← The new server you want the identity to be copied to.

In general I back up the complete DataDirectory /var/lib/tor in this case. Be root or use sudo. Stop the tor process before doing so.

cd /var/lib/
tar cvfz /tmp/tor-backup.tgz tor
chown username:username /tmp/tor-backup.tgz

The last step is necessary to give permission to the user you are able to login via ssh. If you login as root, this is not needed otherwise exchange both username:username to the user you are using for ssh.

copy the tor-backup.tgz with scp to the new server or backup location (Do this on the machine you want to copy the backup to [12.12.12.12]):

scp username@10.10.10.10:/tmp/tor-backup.tgz /tmp/tor-backup.tgz

If you want to migrate your node to another server (12.12.12.12), be sure to have to installed and configured tor (torrc), but it is not running yet. Then copy/move the backup to your new DataDirectory:

mv /tmp/tor-backup.tgz /var/lib/
cd /var/lib/
tar xvfz tor-backup.tgz
chown -R debian-tor:debian-tor /var/lib/tor

The last line is assuming you will run tor on a Debian system with the standard user debian-tor. If this is not the chase, you have to adapt it to your needs.

On the server 10.10.10.10 remove the file in /tmp/ after confirming your backup worked.
rm /tmp/tor-backup.tgz and remove the tor-backup.tgz from /var/lib/tor-backup.tgz on the new machine too:
rm /var/lib/tor-backup.tgz

Afterwards start tor on the new machine and you should be fine. In case you want a backup store tor-backup.tgz in a safe location. You should also remove the original keys on the 10.10.10.10 in the last step:

rm -rf /var/lib/tor

[a few extra steps where included for clarity]

1 Like

I am using debian 12 for anyone wondering what os.

Thanks for taking the time to explain.

1 Like

If we want to keep the node running, do we need to keep its identity secret keys present locally for it to continue working or not? If not, would it be best to store the keys off the server to lessen the risk of them being compromised?

Have a look here:

1 Like

You can store the master key offline.
https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorRelaySecurity/OfflineKeys

1 Like