Keep LND wallet unlocked at all times about umbrel HOT 8 CLOSED

I agree that LND password in plain text on the filesystem is a non issue. The risk of having the LND password in plain text on the Umbrel is very low, the wallet is already hot with the keys available most of the time.

There is probably more chance of funds loss due to an offline node than there is due to storing the password for a hot wallet on the same fs as the hot wallet itself.

The only attack vector I see with storing the wallet password in plain text is that in the event the user accidentally leaves their Umbrel drive lying around somewhere, someone could take it and then decrypt their wallet and steal their funds. I think this is user error and not something we should hurt the uptime and stability of all Umbrel users to protect against.

from umbrel.

Concept ACK. Implementation NACK.

lnd-unlock container requires storing plain text lnd password on the Umbrel at all times, which is simply an unacceptable amount of risk to take. Unless lnd comes up with a better way to keep the wallet online without requiring a password to unlock, there isn't a way we can have the wallet unlocked at all times.

Meanwhile, we can notify users when they shut down or reboot their Umbrel to not forget to log in to their dashboard once after it restarts.

from umbrel.

How about a warning that they need store their password on the filesystem, and they accept all risks. It's their node after all.

We shouldn't try to stop people from doing so, but warn them.

Its important to have the node and channels online all the time as its risky to do so - an evil node can simply just close the connection with an earlier version of the database.

Notification may not cut it as there is the dashboard seems to not work on some mobile tor clients. And alsot everyone can stay monitoring their node 24/7.

from umbrel.

The credentials to unlock lnd must come from somewhere and in order to automate the unlock, these must be in plain text (otherwise you'd have to provide a passphrase to decrypt the lnd passphrase, at which point were are back to square one). So as far as I can see it, there is no way around storing the lnd password in plain text.

Automatic unlock of lnd is a must have, otherwise users might forget to unlock lnd after a reboot or crash and their node would be offline.

from umbrel.

So lnd-unlock can be brought back?

It's opt-in only, it will do nothing if the file is not present. So you can display a warning at that point then to let them make the decision whether or not to enable it. Also physical access means you literally have root (through 'physical' persuation anyway)

from umbrel.

It's opt-in only, it will do nothing if the file is not present.

I think it should be opt-out, that is if it's even worth exposing the setting.

I personally think auto unlock by default without any way to disable it is fine.

Also physical access means you literally have root (through 'physical' persuation anyway)

I'm talking about physical access to the storage device, not the Umbrel device.

e.g the user unplugs the external storage device, carries it around on them, then puts it down somewhere in public and forgets about it.

If someone finds the drive, they can recover the funds if the wallet password is stored in plain text. If the password was encrypted or not stored on disk, the funds would be safe.

from umbrel.

optin or opt out Is fine.

The likelihood of anyone knowing what the drive is to an average onlooker is extremely miniscule.

Losing your physical wallet is more risky, which has paper in it which most people know what it is.

Plus with the disclaimer of not being too reckless unless a user knows what they are doing is all there when they sign up.

from umbrel.

Closing this old issue as it is no longer applicable.

from umbrel.