Add support for performing signing operations using ssh-agent
It would be nice if private keys on disk could be protected better. One way of doing this is to add support in tor for communicating with ssh-agent for signing operations instead of accessing the secret key itself by reading it from an unencrypted file stored on disk.
From the operators perspective, this would require i) running ssh-agent and ii) adding key(s) to the agent before starting tor.
ssh-agent binds to a UNIX domain socket which tor would open and communicate over using the protocol specified in https://tools.ietf.org/html/draft-miller-ssh-agent-02.
I propose that configuration options are added for relevant keys and that the format include a type field specifying how to access the key. The type field would be separated from the rest of the option value by
:. The two defined options would be
ssh-agent. File type keys would have a path specification and ssh-agent keys would have a public key in Base64 (and an optional
PKCS #11 provider name if that shows to be necessary to accommodate multiple simultaneous HSM devices). A key not mentioned in the configuration simply defaults to current tor behaviour (implying
file type) for backward compatibility.
It should be noted that an operator who's able to put secret keys on an encrypted volume, mounted at system startup, achieves a similar protection. An upside of the proposed approach is that keys can be moved to an external deviece (often called an HSM) that has a
PKCS #11 provider.
Another way of achieving the single goal of encrypting keys on disk would be to allow for encrypted keys (presumably by storing them in
PKCS #8 format instead of
PKCS #1) and somehow make tor read pass phrase(s) from somewhere when starting up.