- The Tor project is experimenting with stateless, RAM-only relays
- The move aims to protect node operators from hardware seizures
- Building diskless nodes is technically difficult due to Tor’s infrastructure
The Tor browser has long been the gold standard for anonymous web browsing, but it faces a persistent physical threat: server raids. Now the project is investigating a technical upgrade to make hardware seizures completely useless by developing “stateless” relays that wipe themselves clean on a reboot.
Using RAM-only infrastructure, these diskless Tor nodes are designed to leave behind absolutely no recoverable data, logs or cryptographic artifacts. They run exclusively in RAM (Random-Access Memory).
As authorities globally step up efforts to expose users on the dark web, volunteer node operators face an escalating risk of physical hardware raids.
A server that forgets
The push for stateless infrastructure is being spearheaded by Osservatorio Nessuno, an Italian non-profit digital rights organization that operates Tor exit relays.
If an operator’s hardware is compromised, traditional disk-based servers can become a major liability. As the group explains, “A relay that can be seized and its contents released erodes the very trust the system depends on.”
What if there were Tails for Tor relays? 🔎 Check out our latest guest post by Osservatorio Nessuno exploring how a stateless, diskless operating system can improve #Tor relay security and improve physical attack resistance. https://t.co/xKJHqBzvxjApril 9, 2026
In contrast, a stateless system does not save anything between reboots.
These types of servers aim to enforce better security by design, guaranteeing that if a machine is cloned or seized by the police, there is simply nothing left to analyze.
“The network is designed so that no single operator or server can reconstruct who is talking to whom. Journalists, activists and whistleblowers depend on it to hold up,” notes Osservatorio Nessuno.
The reputation problem
Although running a system entirely in RAM is not a new concept, the privacy-focused infrastructure behind Tor introduces major technical hurdles.
The Tor network is fundamentally based on reputation. Relays that stay online longer earn trust and bandwidth flags, making them more critical to network speed and reliability.
This hard-earned reputation is tied directly to long-term cryptographic identity keys stored on the server. However, if a RAM-based relay shuts down and loses these keys, it reboots without identity, forcing its reputation to start from scratch.
To address this, researchers are exploring hardware-based solutions.
One proposed method involves sealing a relay’s identity keys in a hardware security chip, known as a Trusted Platform Module (TPM). By tying the key to a specific system state, the identity can survive a reboot without the key ever being extracted directly by authorities seizing the server.
The project is currently in an experimental phase, expanding on discussions initiated at the Tor Community Gathering in 2025. While the Tor network has historically weathered attempts to disable it, moving toward a self-deleting infrastructure could permanently change the game for anonymity, proving that the most secure data is the data that doesn’t exist.
