Comments (4)
AFAIK this is exactly how it's supposed to work. For now, I set up an email alert that sends a message every time the service is started (not yet in the guide, a bit complicated with Gmail certs & stuff).
I am not sure yet, if this can be automated in a safe way.
from raspibolt.
Quick extract from the LND Slack discussion board (highly recommended):
Stadicus: Does anybody have best practices on how to handle the manual unlocking of the LND wallet? From an operations (not security) perspective, it's not ideal to manually enter it every time the node itself or the service (maybe due to a crash) is restarted.
X1: @Stadicus how often is service being restarted in practice? Any automation of password entry kind of negates the security doesn’t it? Curious on the operational flow that would be improved from not manually entering the password? it’s done via RPC so you can unlock it remotely from an rpc client if that helps
X2: @Stadicus if you want to have auto-unlock, you can create your wallet and restart every time with --noencryptwallet
. it's still encrypted, technically, but with a default passphrase. but yeah, in a setup where you're looking for reliability and security, you central monitoring/management stuff can unlock via RPC with a password stored in a secure store (i know ansible has this capability for example)
from raspibolt.
Thanks for the answers. So this prompted me to find the 'default' PW code in LND ... which is below.
// We wait until the user provides a password over RPC. In case lnd is
// started with the --noencryptwallet flag, we use the default password
// "xxxx" for wallet encryption.
privateWalletPw := []byte("xxxxx")
publicWalletPw := []byte("xxxxx")
[Note: I replaced the actual PWs with xxxxx for this post .... which is a bit paranoid I will admit as the LND code is public anyway. But my point is that I now know what the default PWs are ... and anybody that can use Google can learn them too].
What this says is that all std LND implementations use the same default PWs if --noencryptwallet is used (e.g. to unlock the wallet automatically at bootup). Seems like a security hole big enough to drive a bus through, like routers left at factory default with login/pw = admin/admin.
Hmmm. How to proceed?
- I don't want to use --noencryptwallet as the world now knows my wallet PW
- But want to have my LN node run 'lights off', including after a power failure.
Guess this is why this is called BETA testing
:-)
Appreciate this discussion belongs elsewhere ... but adding this post for completeness.
from raspibolt.
Thanks for sharing this additional data. In my understanding, there is no way to securely store the "secret" for unlocking the wallet on the same machine. If the system is breached, the attacker would gain access to both and could easily run off with the funds.
Therefore, either unlock manually, or let a second system with a secure key storage unlock the node with RPC remotely. This makes sense in my opinion, but I'm not sure myself how I want to proceed.
from raspibolt.
Related Issues (20)
- [BUG] Disabling zram after configuration - clarification HOT 2
- Missing font/symbol HOT 4
- [FEATURE REQ] Netdata HOT 6
- [BUG] error: externally-managed-environment HOT 8
- [BUG] Multiple typo's
- [BUG] Shorten steps in Guide HOT 3
- [BUG] Unable to find “GUI-NetLinks” in Guide
- [BUG] Update Bonus guide: BitBoxApp HOT 2
- SYNCRONISATION DE LA BASE BITCOIN HOT 2
- [BUG] Modify command HOT 2
- [BUG] Wrong port used HOT 2
- Can't connect my sparrow wallet to Electrum HOT 1
- [BUG] Cython update breaks specter install
- Adjust directory HOT 2
- [BUG] Tor warning HOT 6
- How does the backup work? HOT 5
- Permission denied after setting up SCB backup HOT 2
- Electrs fails almost weekly HOT 2
- Add lightning support to mempool block explorer [FEATURE REQ] HOT 2
- btcrpcexplorer - "No RPC connection" HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from raspibolt.