Beyond no-log: Tor looks into seizure-proof servers that forget your data

• The Tor Project is experimenting with stateless, RAM-only relays
• The move aims to protect node operators from hardware seizures
• Building diskless nodes is technically difficult due to Tor's infrastructure

The Tor Browser has long been the gold standard for anonymous web browsing, but it faces an ongoing physical threat: server raids. Now, the project is exploring a technical upgrade to render hardware seizures completely useless by developing "stateless" relays that wipe themselves clean upon a reboot.

Utilizing RAM-only infrastructure, these diskless Tor nodes are designed to leave behind absolutely no recoverable data, logs, or cryptographic artifacts. They run entirely in random-access memory (RAM).

While the best VPN services adopted this technology years ago to physically back up their privacy claims, Tor's decentralized nature makes diskless servers uniquely challenging to build. However, the upgrade is becoming increasingly necessary.

As authorities globally ramp up efforts to unmask users on the dark web, volunteer node operators are facing an escalating risk of physical hardware raids.

A server that forgets

The push for stateless infrastructure is being spearheaded by Osservatorio Nessuno, an Italian digital rights non-profit that operates Tor exit relays.

In a guest post published on the Tor Project’s blog, the group noted that "some operators have to deal with seizures, raids, and direct physical access to hardware," citing past server seizures in Austria, Germany, the United States, and Russia.

If an operator's hardware is compromised, traditional disk-based servers can become a massive liability. As the group explains, "A relay that can be seized and its contents handed over erodes the very trust the system depends on."

By contrast, a stateless system doesn't store anything between reboots.

These types of servers aim to enforce better security by design, guaranteeing that if a machine is cloned or seized by police, there is simply nothing left to analyze.

"The network is designed so that no single operator or server can reconstruct who is talking to whom. Journalists, activists, and whistleblowers depend on that holding up," Osservatorio Nessuno notes.

The reputation problem

While running a system entirely in RAM isn't a new concept, the privacy-focused infrastructure behind Tor introduces major technical hurdles.

The Tor network is fundamentally reputation-based. Relays that stay online longer earn trust and bandwidth flags, which make them more vital to the network's speed and reliability.

This hard-earned reputation is tied directly to long-term cryptographic identity keys stored on the server. Yet, if a RAM-based relay shuts down and loses those keys, it reboots with no identity, forcing its reputation to start from scratch.

To solve this, researchers are exploring hardware-based workarounds.

One proposed method involves sealing a relay's identity keys within a hardware security chip, known as a Trusted Platform Module (TPM). By binding the key to a specific system state, the identity can survive a reboot without the key ever being directly extractable by authorities who seize the server.

The project is currently in an experimental phase, expanding on discussions initiated at the Tor Community Gathering in 2025. While the Tor network has historically weathered attempts to disable it, moving toward a self-wiping infrastructure could permanently change the game for anonymity, proving that the most secure data is the data that doesn't exist.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!