The TorHSM work item aims to letting directory authority signing keys move to a so called Hardware Security Module (HSM) based on the CrypTech Alpha board. The Tor part of this project produces code for little-t-tor, a program for key management and support software for development and test. See the CrypTech wiki for a description of TorHSM from the CrypTech point of view.
== Status
- 2019-07-10 Successfully producing a consensus with one dirauth using an emulated HSM device in a Chutney test network (basic) with TestingV3AuthInitialVotingInterval set to 120 and VoteDelay/DistDelay at 20, when the HSM takes 8 seconds to produce a signature.
== Design
== Code
=== tor
https://gitweb.torproject.org/user/linus/tor.git/log/?h=torhsm
NOTE: This branch is not meant for merging into master! It's a PoC written to minimize the diff against tor-0.3.5.8 in order to show what needs to be done. Refactoring of the consensus handling code should be done before trying to get this functionality into master.
=== chutney
https://gitweb.torproject.org/user/linus/chutney.git/log/?h=torhsm
NOTE: Quite a few necessary actions for setting things up properly are not done by Chutney, see note in networks/basic-hsm for a list.
=== USB gadget emulation
== Notes
== Open questions
-
Figure out how legacy dirauth keys are meant to be used and if they're still considered a good idea.
-
Does tor still need variable consensus periods? If so, our idea with rate-limiting might not work.
-
Really verify new signing keys ('verify'), or simply activate new key when operator says so ('activate')?
-
Require PIN or not?
== To do