wiki:doc/GeneratingDirauthKeys

Generating Directory Authority Keys

If you want to know all the details of how Directory Authority keys work, see DirauthEd25519Keys.

RSA Keys

Legacy directory authority RSA keys are still used by clients.

Use the commands below, then restart your authority so it reads the new RSA keys. Using kill -HUP is not enough.

Offline RSA Keys

The default RSA key lifetime is 12 months. Use tor-gencert -m 1 for a 1 month lifetime. This is the same as the default Ed25519 lifetime.

To use offline RSA keys, execute these commands on another computer. Then copy these files to the keys directory on your authority:

authority_certificate
authority_signing_key

The secret master key is:

authority_identity_key

Generating RSA Keys

$ cd keys
$ tor-gencert --create-identity-key -m 12
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Renewing RSA Keys

To regenerate the RSA signing key and certificate:

$ cd keys
$ tor-gencert -m 12
Enter PEM pass phrase:

Ed25519 Keys

Use the commands below, then HUP your authority so it reads the new keys. Authorities also try to read new ed25519 keys just before they expire.

Offline Ed25519 Keys

We recommend that public directory authorities use offline Ed25519 keys.

Before starting your authority, set this torrc option:

OfflineMasterKey 1

Generating Ed25519 Keys

To create Ed25519 keys, use:

$ tor --keygen --DataDirectory <DIR> --SigningKeyLifetime "30 days"

The default ed25519 online key lifetime is 1 month.

You will be asked to provide a passphrase to encrypt the ED25519 master ID secret key. Please save this password somewhere safe, you will need it again when things need to be renewed.

Then copy these files to the keys directory on your authority:

ed25519_master_id_public_key
ed25519_signing_secret_key
ed25519_signing_cert

The secret master key is:

ed25519_master_id_secret_key

Be sure you save all the files generated in <DIR>/keys, because you will need them when it is time to renew things (specifically the ed25519_master_id_secret_key_encrypted and ed25519_master_id_public_key).

Renewing ED25519 Keys

Find where you generated the original files in the previous step. They should be located under <DIR>/keys. Also locate the password that you used to encrypt the ED25519 master ID secret key. Then you will need to run:

$ tor --keygen --DataDirectory <DIR> --SigningKeyLifetime "30 days"

You should be prompted to enter the passphrase for the ED25519 master ID secret key. If you are asked to "Enter new passphrase", then you are generating a new ED25519 master ID secret key, this is not what you want to do, if you are renewing keys. If you do this, and then try to replace the generated files on your dirauth, the other authorities will produce this error, and not accept your descriptor:

Looks like your keypair has changed? This authority previously recorded a different RSA identity for this Ed25519 identity (or vice versa.) Did you replace or copy some of your key files, but not the others? You should either restore the expected keypair, or delete your keys and restart Tor to start your relay with a new identity."

Find the ed25519_master_id_secret_key_encrypted and ed25519_master_id_public_key that you originally generated, and make sure they are in the <DIR>/keys directory and try again. You will be successful, when you are prompted for the existing passphrase: "Enter passphrase for master key:"

Online Ed25519 Keys

If you are using an online Ed25519 master key, the Ed25519 keys are regenerated automatically by Tor.

Last modified 9 months ago Last modified on Apr 1, 2018, 9:56:41 PM