Wipe relay key material from memory on common crash conditions
Tor should wipe key material before common crash conditions, to avoid key material leak in the case where relay operators have otherwise taken steps to keep key material off of disk.
There are two vectors towards obtaining key material after crash: core files, and large mmap attempts by other users' processes.
It turns out many OS kernels do not provide ways to defend against the latter case. Therefore, tor should attempt to wipe sensitive key material on atexit, SIGSEGV, SIGBUS, tor_assert() and other common exit conditions.
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information