Yesterday we set up a new Tor server. I’ve done my part to ensure that researchers can anonymously retrieve supplemental material for the papers that they review.
The tricky bit is setting up a system with encrypted root when the machine is collocated in Germany. Testing your procedure on a local machine first is invaluable. During boot the machine brings up the network and uses socat to open an TLS socket. Then, using a client such as openssl on my laptop, I connect to the server, verify the server certificate, and send the required password to decrypt the root partition. The boot process then continues normally.
The next step is to use Trusted Computing to enable remote attestation.