Information about our Tor relays can be found on this page.


Security is important to us. A few selected items of what we do:

  • access to our servers (SSH) requires 2-factor authentication (pubkey and password)
  • authorized SSH keys are handed out in hardware (Yubikeys)
  • where supported updates are installed automatically (including automatic reboot when necessary)
  • our domain is DNSSEC signed
  • we support DANE for email traffic
  • statically generated website for a reduced attack surface (with some security headers)
  • HSTS (without preloading)
  • we make use of 2-factor authentication for all 3rd-party services where supported (,, stripe, github, twitter, mastodon, ...)
  • to make BGP hijacking attacks harder, /24 (IPv4) and /48 (IPv6) prefixes are announced
  • all our services are covered by RPKI ROAs to make BGP hijacking even harder
  • we make use of CAA, TLSA and SSHFP DNS records
  • we monitor certificate transparency logs for our domain to spot rough certificates

On our Wishlist

  • DNSSEC for reverse zones
  • HSTS preloading (will require a second domain because we want people to be able to visit Tor's DirPort on port 80 with their browsers if they found our exit IP in their logs)

3rd Party Services

Some of the services we use are not operated by ourselfes for availability reasons (we do not have a 24/7 team), but we try to choose our service providers wisely. We have no affiliation with them, they are listed here so others have some practical input in case they care about similar values.

DNS (Authoritative)

This section is about the authoritative nameservers for "" and should not be confused with our DNS Privacy Services.

We use in combination with as the authoritative name servers for "" because they:

  • support DNSSEC and security related DNS records (CAA, TLSA and SSHFP)
  • support 2-factor authentication (TOTP, Yubikey)
  • are Tor-friendly
  • are affordable


We use for email because they:

  • generally are a privacy-aware email provider (minimal information required during account registration)
  • they are Tor-friendly (and operate a small Tor exit relay
  • offer mailbox access via onion services
  • support DKIM
  • support DANE
  • support 2-factor authentication
  • are affordable