Tor network under attack by authorities: project explores relays that wipe themselves clean after reboot

Published: 9 April 2026
tor nodes
Image by Cybernews.

The Tor Project wants network nodes to refrain from storing data in case authorities want to analyze it. The anonymity network is considering using stateless machines to help prevent attacks, operator errors, or infiltration by authorities, improving network trustworthiness.

You might’ve been using Tor to browse the internet anonymously, shield from unwanted surveillance, or bypass censorship. Tor Browser has become a go-to tool for anonymous browsing by journalists, political activists, whistleblowers, marginalized communities – and cybercriminals.

Tor users’ traffic has a very limited number of exit nodes – relays maintained by the community. If authorities see suspicious activity originating from their specific IPs, they come knocking, and relay operators have suffered many raids.

ADVERTISEMENT

The Tor Project acknowledges that relay servers are becoming a liability, citing authorities' actions in Austria, Germany, the US, Russia, and likely many more.

“Some operators have to deal with seizures, raids, and direct physical access to hardware,” explains Osservatorio Nessuno, an Italian non-profit organization defending digital rights that itself operates Tor relays.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Law enforcement agencies have also been infiltrating the Tor network to surveil and unmask users on the dark web.

The non-profit says it is experimenting with stateless relays – essentially, servers that store no data on disk to help protect from attacks or errors. They run entirely in RAM, and any reboot or shutdown leaves no data to analyze.

“The network is designed so that no single operator or server can reconstruct who is talking to whom. Journalists, activists, and whistleblowers depend on that holding up. A relay that can be seized and its contents handed over erodes the very trust the system depends on,” the post on Tor Project’s blog reads.

Making Tor relays stateless is hard

The idea of running an entire system in RAM (random-access memory) is not new and is similar to how Tails, a privacy-focused Linux distribution, operates. It boots from an immutable, fixed image, runs entirely in memory, meaning that all user activity and files are wiped when the device is powered off.

ADVERTISEMENT
tor-browser-screen
Image by Shutterstock.

Since 2015, Tor operators have had the option to run Tor-ramdisk, a micro Linux distribution that runs from RAM.

The problem is that the Tor network is reputation-based – relays running for longer earn trust and importance in the network. The reputation is tied to long-term cryptographic identity keys that relay has to store – RAM-based relays lose them on every reboot, starting from scratch.

Relays also store other important temporary information, like bandwidth history, and discarding it degrades performance.

“The relay’s identity must survive reboots without being extractable. A key stored on disk can be seized and copied; a key stored in a security chip such as the TPM might be more challenging for attackers,” the researchers said.

Has my data been leaked?
Check Now

Researchers hope to employ TPM (Trusted Platform Module) chips, which store cryptographic keys, to seal these secrets by binding them to a measured state of the machine. As long as the software and hardware combination remains unchanged, the key will survive a reboot.

However, TPM doesn’t support ed25519 keys (a modern digital signature scheme) used by Tor. Moreover, TPM stores keys as byte strings stored in non-volatile memory and can still be exported.

For authorities, that means that a seized server could impersonate a legitimate relay, partially compromising the anonymity of traffic passing through it.

Osservatorio Nessuno runs relays on bare metal with TPM-backed identity, using their tool called Patela. Their relays boot from cryptographically verified images, store keys directly in TPM hardware bound to measured boot state, and pull configuration remotely. The key survives reboots but can only be accessed by an untampered system.

ADVERTISEMENT

This introduces operational complexity because updates change the system state, requiring resealing the keys after each update.

Other operators simply choose to run a minimal ramdisk and lose keys after each reboot. Others run a VM-based ramdisk entirely in RAM, managing identity, generating keys offline.

The Tor Project considers several future directions, including adding remote verification for the nodes to prove their keys match the machine state, VM memory isolation from the hypervisor, and publishing node boot logs for the community to audit independently.

Tor protocol can also be extended to incorporate smaller hardware by eliminating the need for nodes to hold “an entire view of the network locally.”

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT