Skip to content

Tuning Onionmine

Info

This section was originally available at the Onionspray mining guide.

While some parts are now specific to Onionmine, it also works as a general guidance on mining Onion Service keys.

Hardware requirements

Some people mine .Onion Addresses on local hardware for privacy and safety, whilst others are happy to rent a GPU-based compute-heavy instance from an internet service provider, or similar.

We're not going to make terribly strong software recommendations, because it's a matter of what you have at your disposal already, what fits the hardware that you have access to and specially on your threat model regarding what to trust in terms of mining .onion using third-party systems.

For instance, you can build a small cluster of Raspberry Pi for mining.

If you are looking for a really meaningful, long-prefix Onion Address up front, you will have to expend a lot of money and CPU-time in order to find one. This is why the next section is really important in order to get the most "bang for your buck".

Tuning mkp224o

Onionmine uses mkp224o under the hood for mining .Onion Addresses and supports all it's optimizations.

These optimizations can either be configured globally or locally on each pool, such as given in this example:

How to best approach this challenge?

Resource-intensive operation

Remember that this process is also energy-intensive, so we don't recommend that you go after a very long prefix. Try to get something up 7 characters.

If you're setting up multiple onions for your site -- eg. if there is one/more CDNs associated with your site, it is nice to set up vanity onions for them, too; partly for "cute" but also to stop yourself going crazy during debugging.

For instance, the (now defunct v2) NYT onion was https://www.nytimes3xbfgragh.onion/ and their CDN onion was https://graylady3jvrrxbe.onion/.

Similarly there were https://www.facebookcorewwwi.onion/ and https://fbcdn23dssr3jqnq.onion/ for Facebook.

Ask yourself now: perhaps use your CDN Onion to reflect your own history and site/brand culture? Perhaps you can mine several Onion Addresses at the same time, even speculatively?

Onion mining is a matter of luck and expensive resource, and (counterintuitively?) the rarest resource that you have, is time as-measured by your wall clock.

Therefore, if you are mining onions for a lot of sites, the best strategy is follows:

  • Be mindful to not expend too much computing resources, which consumes energy and may have a negative environmental impact.

  • Have breakfast and some tea or coffee. Try to get into a creative mood. You are making an investment of time and energy now to save yourself time and effort, later.

  • sit down, open a document, and try to think inclusively of every possible prefix that you might ever find acceptable at the start (or suffix, at the end) of your Onion Addresses, for all of your sites and CDNs, and write them all down. You may create 10, 20, or more. No ideas are bad ideas. Deduplicate them (e.g.: it's pointless to look for nytimes if you're already looking for anything beginning with nyt). Each additional prefix is nearly zero-cost, compared to the days, weeks, or months of time that your computers will spend in grinding their way through cryptography.

  • Configure your software to search for all of these, for all of your sites, simultaneously. Set it running. Make sure to configure options (or: wrap it in a shell script) so that it runs 24x7, saving all the successful matches into the local filestore.

  • If/when you think of yet another prefix, stop your software, configure the extra prefix, and start it running again. Save all of the successful matches, never throw anything away.

  • When you are approaching ship-date, get all the relevant parties together (or just yourself) and grab some beer/wine and use grep to go looking for the best ones. Eyeball the whole list, if you can.

  • You will be surprised -- especially if you've invested fully into choosing as many meaningful prefixes as possible -- because you're dealing with randomness here, and raw entropy is more creative than you'd ever imagine.

  • There is also a vast amount of noise -- huge, enormous quantities of gibberish -- but that's okay, because (again) storage+grep is much cheaper than encryption+wallclocktime.

  • When Facebook .onion address was mined, the mkp224o search-pattern was ^(facebook|fbcdn|fbsbx|...) and a few others all in a single pattern. People spent a few days deciding amongst the good ones.

  • Similarly the mkp224o search pattern for the NY Times was ^(nytimes|nytcdn|nytwww|graylady|...) and a few other potential prefixes, perhaps a dozen, all in one pattern; and I mined Onion Addresses for other sites at the same time, on the same hardware, in the same process.

  • Why do it this way? In short, because encryption is relatively expensive, and string comparisons are really cheap. Every single candidate Onion Address that you generate, should be tested against everything that you can imagine ever looking for, otherwise it's a wasted opportunity.

  • Ideally, make sure that you are thoroughly in control of the backups and storage of the machine upon which you are doing the mining; try to use an encrypted partition if you can.

  • Ensure that you have proper controls over all media which ever receives a copy of the Onion Address key.

Best of luck to you. :-)