Hello. So is it secure to back up a Tor relay using the hosting provider’s backup option (which backs up the whole server), or should I manually copy the relay backup keys and store them offline? And also, is it more secure to use hardened ssh or LAN/console access to the server?
Thanks.
1 Like
Hi,
That greatly depends on the specifics of the backup solution and your threat model. I’ll assume you’re talking about virtual machines, since you mention cloud hosting. Let’s briefly mention two very generalized possibilities.
1 Incompetence: the cloud provider has a weak security posture (i.e. isn’t very security minded) and/or isn’t technologically capable to secure their customer services on the proper level.
In this case having your Tor relay private keys on another one of their systems, exposes the keys to more options of them getting compromised. You could mitigate this by using good encryption on your backups before the backups are transferred to the cloud provider’s backup storage.
I would be hesitant to trust build-in encryption mechanisms that encrypt whole virtual machines exports/backups on the hypervisor/host level, simply because the cloud provider is in control of that mechanism and you can’t verify anything.
2 Malice: the cloud provider passively or actively works together with law enforcement agencies, copyright agencies and the like.
In this case it really doesn’t matter because they are the only true administrators of your virtual machine, kernel, operating system, storage facilities etc. With virtual machines and containers it’s trivial for any remotely motivated cloud provider to steal your Tor relay’s private keys and having them on their backup server as well wouldn’t make a big difference. And there isn’t much you can do about this anyway, so only choose cloud providers you trust (enough).
In general it’s always a good idea to store backups offline as well. It wouldn’t be the first time where some fire destroys both hypervisors and backup servers in the same data center. Most cloud providers are pressed for margin and they often cut corners just to be able to provide a compatible offering in a market with fierce competition. If you want more guarantees, you need to do it yourself or be very selective of the cloud providers you do business with.
Then finally about SSH vs console-over-LAN: this also greatly depends (sorry it’s not a yes or no answer ;-). A hardened OpenSSH server combined with a properly configured firewall (limiting access from a select few IP addresses) is rather secure. On the other hand, a dedicated management VLAN with a similar strict firewall (e.g. with a VPN for access) providing access to IPMI/iDRAC/iLO/console can be secure as well.
1 Like
Ok, and about this other Tor relay feature: I assume that these offline keys encrypt the Tor relay keys, so if someone gains access to them, they won’t be able to impersonate the relay? Also, when the server itself is not encrypted, the hosting provider can technically try to log in, but there is a password behind the Tor relay user, how can they extract the key? Or are all the files of the server exposed because it’s not encrypted and you don’t need to log in to view all the files on the server?
How can we help? | Tor Project | Support States that you can encrypt the keys when generating them manually? Is it different from storing them locally?