core-lightning/doc/lightning-hsmtool.8.md
Rusty Russell 1526b4e7e1 docs: document hsmtool getcodexsecret, refer to it for recover.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2023-08-02 08:42:50 +09:30

108 lines
3.7 KiB
Markdown

lightning-hsmtool -- Tool for working with software HSM secrets of lightningd
=============================================================================
SYNOPSIS
--------
```bash
lightning-hsmtool method [ARGUMENTS]...
```
DESCRIPTION
-----------
**lightning-hsmtool** performs various operations on the `hsm_secret`
file used by the software HSM component of **lightningd**.
This can be used to encrypt and decrypt the `hsm_secret` file,
as well as derive secrets used in channel commitments.
METHODS
-------
**encrypt** *hsm\_secret* *password*
Encrypt the `hsm_secret` file so that it can only be decrypted at
**lightningd** startup.
You must give the option **--encrypted-hsm** to **lightningd**.
The password of the `hsm_secret` file will be asked whenever you
start **lightningd**.
**decrypt** *hsm\_secret* *password*
Decrypt the `hsm_secret` file that was encrypted with the **encrypt**
method.
**dumpcommitments** *node\_id* *channel\_dbid* *depth* *hsm\_secret* \[*password*\]
Show the per-commitment secret and point of up to *depth* commitments,
of the specified channel with the specified peer,
identified by the channel database index.
Specify *password* if the `hsm_secret` is encrypted.
**guesstoremote** *p2wpkh* *node\_id* *max\_channel\_dbid* *hsm\_secret* \[*password*\]
Brute-force the private key to our funds from a remote unilateral close
of a channel, in a case where we have lost all database data except for
our `hsm_secret`.
The peer must be the one to close the channel (and the funds will remain
unrecoverable until the channel is closed).
*max\_channel\_dbid* is your own guess on what the *channel\_dbid* was,
or at least the maximum possible value,
and is usually no greater than the number of channels that the node has
ever had.
Specify *password* if the `hsm_secret` is encrypted.
**generatehsm** *hsm\_secret\_path*
Generates a new hsm\_secret using BIP39.
**checkhsm** *hsm\_secret\_path*
Checks that hsm\_secret matches a BIP39 passphrase.
**dumponchaindescriptors** *hsm\_secret* \[*password*\] \[*network*\]
Dump output descriptors for our onchain wallet.
The descriptors can be used by external services to be able to generate
addresses for our onchain wallet. (for example on `bitcoind` using the
`importmulti` or `importdescriptors` RPC calls)
We need the path to the hsm\_secret containing the wallet seed, and an optional
(skip using `""`) password if it was encrypted.
To generate descriptors using testnet master keys, you may specify *testnet* as
the last parameter. By default, mainnet-encoded keys are generated.
**makerune** *hsm\_secret*
Make a master rune for this node (with `uniqueid` 0)
This produces the same results as lightning-commando-rune(7) on a fresh node.
You will still need to create a rune once the node starts, if you want commando to work (as it is only activated once it has generated one).
**getcodexsecret** *hsm\_secret\_path* *id*
Print out the BIP-93 formatted HSM secret, for use with `--recover`. The `id` is any 4 character string you can use to identify this secret (e.g. `adi0`): it cannot contain `i`, `o`, or `b`, but can contain digits except `1`.
BUGS
----
You should report bugs on our github issues page, and maybe submit a fix
to gain our eternal gratitude!
AUTHOR
------
ZmnSCPxj <<ZmnSCPxj@protonmail.com>> wrote the initial version of
this man page, but many others did the hard work of actually implementing
**lightning-hsmtool**.
SEE ALSO
--------
lightningd(8), lightningd-config(5)
RESOURCES
---------
Main web site: <https://github.com/ElementsProject/lightning>
COPYING
-------
Note: the modules in the ccan/ directory have their own licenses, but
the rest of the code is covered by the BSD-style MIT license.
Main web site: <https://github.com/ElementsProject/lightning>