- The Tor Project is experimenting with stateless, RAM-only relays
- The measure aims to protect node operators from hardware seizures.
- Building diskless nodes is technically difficult due to Tor infrastructure
The Tor browser has long been the gold standard for anonymous web browsing, but it faces a constant physical threat: server raids. Now, the project is exploring a technical upgrade to make hardware seizures completely useless by developing “stateless” relays that clean themselves on reboot.
Using a RAM-only infrastructure, these diskless Tor nodes are designed to leave no data, logs, or recoverable cryptographic artifacts behind. They run entirely in random access memory (RAM).
As authorities globally step up efforts to unmask users on the dark web, volunteer node operators face an increasing risk of physical attacks on hardware.
A server that forgets
The push for stateless infrastructure is led by Osservatorio Nessuno, an Italian digital rights nonprofit that operates Tor exit relays.
If an operator’s hardware is compromised, traditional disk-based servers can become a huge liability. As the group explains, “A relay that can be confiscated and its contents handed over erodes the trust on which the system depends.”
What if Tails existed for Tor relayers? 🔎 Check out our latest guest post from Osservatorio Nessuno, which explores how a stateless and diskless operating system can improve #Tor relay security and improve resistance to physical attacks. https://t.co/xKJHqBzvxjApril 9, 2026
In contrast, a stateless system stores nothing between reboots.
These types of servers aim to impose better security by design, ensuring that if a machine is cloned or confiscated by the police, there is simply nothing left to analyze.
“The network is designed so that no operator or server can reconstruct who is talking to whom. Journalists, activists and whistleblowers depend on that resistance,” says Osservatorio Nessuno.
The reputation problem
While running a system entirely in RAM is not a new concept, the privacy-focused infrastructure behind Tor presents significant technical obstacles.
The Tor network is fundamentally based on reputation. Repeaters that stay online longer gain trust and bandwidth flags, making them more vital to network speed and reliability.
This hard-earned reputation is directly linked to the long-term cryptographic identity keys stored on the server. However, if a RAM-based relay goes down and loses those keys, it reboots without identity, forcing its reputation to start from scratch.
To solve this, researchers are exploring alternative hardware-based solutions.
One proposed method involves sealing a relay’s identity keys inside a hardware security chip, known as a Trusted Platform Module (TPM). By binding the key to a specific system state, the identity can survive a reboot without authorities taking over the server being able to directly extract the key.
The project is currently in an experimental phase, expanding on discussions started at the Tor Community Gathering in 2025. While the Tor network has historically resisted attempts to take it down, moving toward a self-cleaning infrastructure could permanently change the anonymity game, proving that the safest data is that which does not exist.
