Opened 10 months ago

Last modified 10 months ago

#28000 assigned task

Add support for performing signing operations using ssh-agent

Reported by: ln5 Owned by: ln5
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

It would be nice if private keys on disk could be protected better. One way of doing this is to add support in tor for communicating with ssh-agent for signing operations instead of accessing the secret key itself by reading it from an unencrypted file stored on disk.

From the operators perspective, this would require i) running ssh-agent and ii) adding key(s) to the agent before starting tor.

ssh-agent binds to a UNIX domain socket which tor would open and communicate over using the protocol specified in https://tools.ietf.org/html/draft-miller-ssh-agent-02.

I propose that configuration options are added for relevant keys and that the format include a type field specifying how to access the key. The type field would be separated from the rest of the option value by :. The two defined options would be file and ssh-agent. File type keys would have a path specification and ssh-agent keys would have a public key in Base64 (and an optional PKCS #11 provider name if that shows to be necessary to accommodate multiple simultaneous HSM devices). A key not mentioned in the configuration simply defaults to current tor behaviour (implying file type) for backward compatibility.

It should be noted that an operator who's able to put secret keys on an encrypted volume, mounted at system startup, achieves a similar protection. An upside of the proposed approach is that keys can be moved to an external deviece (often called an HSM) that has a PKCS #11 provider.

Another way of achieving the single goal of encrypting keys on disk would be to allow for encrypted keys (presumably by storing them in PKCS #8 format instead of PKCS #1) and somehow make tor read pass phrase(s) from somewhere when starting up.

Child Tickets

Change History (1)

comment:1 Changed 10 months ago by teor

Milestone: Tor: unspecified

These seem like long-term projects or features

Note: See TracTickets for help on using tickets.