Protect Tor Hidden Service Key

[fpietrosanti]

Currently Tor have a security weakness so that the Tor Hidden Service Key and the file containing the hostname are stored in clear-text onto the computer's filesystem with no ability to protect it.

The only way to currently protect that kind of file resources is trough the implementation of filesystem encryption, but unfortunately it does require administrative privileges and kernel modules to work.

This ticket is about the implementation of a system to protect the Tor Hidden Service Key and Hostname file.

The implementation maybe done trough:

• Implementation of Tor's Ticket https://trac.torproject.org/projects/tor/ticket/5976
• Implementation of APAF's Ticket APAF's Secure database support #25
• Implementation of TxTorConn Ticket Implement dynamic loading of Tor Hidden Service Keys meejah/txtorcon#13

That way it would be possible to store securely Tor HS Key in APAF's Secure Database and load it dynamically via TorCP

[joxer]

Why not using a fuse filesystem? Surely there will be some implementation of encrypted file system in user space

[fpietrosanti]

Fuse require a kernel module to be loaded, that introduce even more cross-platform dependency issues.

Additionally Fuse kernel module loading require administrative privileges.

[fpietrosanti]

On txtorcon issue there is a good discussion in using another approach with FIFO / Named Pipes

[fpietrosanti]

On Tor there's someone that recently pushed a patch to be reviewed doing that feature for handling TorHs via TorCP: https://trac.torproject.org/projects/tor/ticket/6411#comment:6