The permanent master identity key

Today the system was upgraded to and at 09:00 CEST the following message appeared:

09:00:08 [notice] It looks like I should try to generate and sign a new medium-term signing key, because the one I have is going to expire soon. But OfflineMasterKey is set, so I won’t try to load a permanent master identity key is set. You will need to use ‘tor --keygen’ make a new signing key and certificate.

I have checked by google and I get the following reference:

What is OfflineMasterKey and how to configure it?

I guess if you have more nodes you have an offline master key for all of them instead of having 1key/relay.
This is good for (1) hardening your sercurity (2) backup purpose in case your server was hosted on DediPath and you want to migrate it now to other location

¿Nobody to tell me more about this offline master key?

Offline Relay Identity Keys Please note the link to the detailed guide.
@nusenu’s Ansible Role for Tor Relay Operators support offline keys, see:
security: offline Ed25519 master keys are generated on the ansible host and are never exposed to the relay

Regardless of whether you use offline keys Back up your keys should always be done. I also save the fingerprints & torrc.
After a hardware crash you can reinstall the relays. The relay history is retained and you don’t have to wait for the ramp up phase again.

1 Like