cdecker
commented
3 months ago I don't think we can provide a canonical way of doing this, as the strategies to manage and secure passwords are very varied. The fundamental problem is that if we were to just add the password in a file, without requiring user interaction, then that would be no more secure that keeping the hsm_secret unencrypted.
If you can share a bit more about how you'd like to manage the password (1password, pass, yubikey, ...) I think we can discuss this in a more concrete way. I think the ExecStartPre could be used to initiate a decrypt that waits for the user to e.g. press the yubikey, unlocking the secret and store it in an envvar or similar.
I would like to set up a systemd lightning.service to ensure that upon system restart lightningd is automatically restarted. Importantly, for my use case, I have an encrypted hsm_secret and would need to somehow incorporate the retrieval and entry of the hsm_secret password a part of the lightningd.service configuration. While I have found online examples of lightningd.service config, none address how to handle lightningd start-up with encrypted hsm_secret.
Could you please provide a sample lightnind.service config for use with encrypted hsm_secret.