Closed Kixunil closed 4 years ago
This must be addressed at the implementation level. We do not want to weaken the security model assumed at the implementation level, by obfuscating it at the app level, to make the UX simpler.
Well, the security model is completely broken. :shrug: I agree that solving it at LND would be much better. Sadly they did not even reply a simple answer "Yes, we would/No, we wouldn't accept a PR."
So double thanks to you for at least replying, even if its no.
Is your feature request related to a problem? Please describe.
LND requires setting a wallet password during initialization. This is unfortunate, because in many scenarios, the password doesn't help. (It may be even a net negative! See below.)
Example: an external node with full disk encryption already protects against physical theft, the service is running under a separate user account, the backups are encrypted by some other means. Basically, the only case when it helps is an attacker having read permission to the wallet file and not having read (or write) permission to any other interesting file, including, but not limited to:
/proc/mem
)Especially, considering the fact that macaroons are often in the same directory as wallet, it's extremely unlikely that LND password can protect against meaningful attacks. Further, it comes with its own set of problems:
Describe the solution you'd like Have an option to set
lnd_wallet_password
in the config file or just a bool flag to set it topassword would be harmful here
or other fixed value (meaningful value like the suggested one clearly explains what's going on). If this option is set, the RTL UI doesn't require/allow setting the password during wallet creation and it uses the fixed one instead. If RTL encounters locked LND, it attempts to use that password to unlock it automatically. (This doesn't propose for RTL to be used as LND unlocker, the auto unlock is just a fallback.)Describe alternatives you've considered The obvious alternative is to remove the password from LND as discussed in issue at their repo. Sadly, they didn't even reply to the question asking if they would merge the PR. I suspect that there's a good change a PR would hang there for a very long time.
Additional context There's already tons of always online node setups, often containing some sort of isolation or encryption, where the arguments above apply. This would be extremely helpful for my project too.