- Tor Project Experiments with Stateless, RAM-Only Relays
- The move aims to protect node operators from hardware seizures.
- Building diskless nodes is technically difficult due to Tor’s infrastructure
The Tor browser has long been the gold standard for anonymous web browsing, but it faces an ongoing physical threat: server raids. Today, the project is exploring a technical upgrade to make hardware inputs completely unnecessary by developing “stateless” relays that automatically clear on reboot.
Using RAM-only infrastructure, these diskless Tor nodes are designed to leave absolutely no recoverable data, logs, or cryptographic artifacts. They operate entirely in random access memory (RAM).
As authorities around the world step up efforts to unmask dark web users, volunteer node operators face a growing risk of physical hardware raids.
A waiter who forgets
The campaign for stateless infrastructure is led by Osservatorio Nessuno, an Italian digital rights nonprofit that operates Tor exit relays.
If an operator’s hardware is compromised, traditional disk-based servers can become a huge liability. As the group explains, “a relay that can be seized and its contents delivered erodes the very trust on which the system depends.”
What if there were Tails relays for Tor? 🔎 Check out our latest article from Osservatorio Nessuno which explores how a stateless, diskless operating system can improve #Tor relay security and improve resistance to physical attacks. https://t.co/xKJHqBzvxjApril 9, 2026
In contrast, a stateless system stores nothing between reboots.
These types of servers aim to build security by design, ensuring that if a machine is cloned or seized by the police, there is simply nothing left to scan.
“The network is designed in such a way that no operator or server can reconstruct who is talking to whom. Journalists, activists and whistleblowers depend on it,” notes Osservatorio Nessuno.
The reputation problem
While running a system entirely in RAM is not a new concept, the privacy-focused infrastructure behind Tor introduces major technical hurdles.
The Tor network is fundamentally reputation-based. Relays that stay online longer gain trust and bandwidth metrics, making them more critical to network speed and reliability.
This hard-earned reputation is directly linked to the long-term cryptographic identity keys stored on the server. Yet if a RAM-based relay shuts down and loses these keys, it restarts without an identity, forcing its reputation to start from scratch.
To solve this problem, researchers are exploring hardware solutions.
One proposed method is to seal a relay’s identity keys in a hardware security chip, known as a Trusted Platform Module (TPM). By tying the key to a specific system state, the identity can survive a reboot without the key ever being able to be directly extracted by authorities taking over the server.
The project is currently in an experimental phase, expanding on discussions initiated at the Tor Community Gathering in 2025. Although the Tor network has historically resisted attempts to disable it, the move toward a self-erasing infrastructure could be a permanent game-changer when it comes to anonymity, proving that the most secure data is the one that doesn’t exist.
