Skip to content

arti hss ctor-migrate should support deleting the migrated keys

Currently, arti hss ctor-migrate leaves the migrated keys behind, duplicating sensitive key material on disk. This was an intentional UX decision, but it's not great from a security perspective.

We need to

  • decide what the default behavior should be. Should ctor-migrate instead do a "hard" migration by default (i.e. should it delete the C Tor keys at the end of the migration), or should it leave the old keys behind? (This is a tradeoff between security and usability: not having the key material duplicated across multiple places is better for security, but worse for usability, as users won't easily be able to switch back to using C Tor), and
  • add a flag that toggles this behavior (--delete-migrated or --no-delete-migrated, depending on what default behavior we settle on)