mirror of
https://github.com/lightningnetwork/lnd.git
synced 2024-11-19 01:43:16 +01:00
multi: Add --tor.encryptkey flag functionality to encrypt the Tor private key on disk
It's possible that a user might not want the Tor private key to sit on the disk in plaintext (it is a private key after all). So this commit adds a new flag to encrypt the Tor private key on disk using the wallet's seed. When the --tor.encryptkey flag is used, LND will still write the Tor key to the same file, however it will now be encrypted intead of plaintext. This essentially uses the same method to encrypt the Tor private key as is used to encrypt the Static Channel Backup file.
This commit is contained in:
parent
e0fc5bb234
commit
073c990c75
2
go.mod
2
go.mod
@ -40,7 +40,7 @@ require (
|
|||||||
github.com/lightningnetwork/lnd/queue v1.1.0
|
github.com/lightningnetwork/lnd/queue v1.1.0
|
||||||
github.com/lightningnetwork/lnd/ticker v1.1.0
|
github.com/lightningnetwork/lnd/ticker v1.1.0
|
||||||
github.com/lightningnetwork/lnd/tlv v1.0.3
|
github.com/lightningnetwork/lnd/tlv v1.0.3
|
||||||
github.com/lightningnetwork/lnd/tor v1.0.2
|
github.com/lightningnetwork/lnd/tor v1.1.0
|
||||||
github.com/ltcsuite/ltcd v0.0.0-20190101042124-f37f8bf35796
|
github.com/ltcsuite/ltcd v0.0.0-20190101042124-f37f8bf35796
|
||||||
github.com/miekg/dns v1.1.43
|
github.com/miekg/dns v1.1.43
|
||||||
github.com/prometheus/client_golang v1.11.0
|
github.com/prometheus/client_golang v1.11.0
|
||||||
|
2
go.sum
2
go.sum
@ -465,6 +465,8 @@ github.com/lightningnetwork/lnd/tlv v1.0.3/go.mod h1:dzR/aZetBri+ZY/fHbwV06fNn/3
|
|||||||
github.com/lightningnetwork/lnd/tor v1.0.0/go.mod h1:RDtaAdwfAm+ONuPYwUhNIH1RAvKPv+75lHPOegUcz64=
|
github.com/lightningnetwork/lnd/tor v1.0.0/go.mod h1:RDtaAdwfAm+ONuPYwUhNIH1RAvKPv+75lHPOegUcz64=
|
||||||
github.com/lightningnetwork/lnd/tor v1.0.2 h1:GlumRkKdzXCX0AIvIi2UXKpeY1Q4RT7Lz/CfGpKSLrU=
|
github.com/lightningnetwork/lnd/tor v1.0.2 h1:GlumRkKdzXCX0AIvIi2UXKpeY1Q4RT7Lz/CfGpKSLrU=
|
||||||
github.com/lightningnetwork/lnd/tor v1.0.2/go.mod h1:RDtaAdwfAm+ONuPYwUhNIH1RAvKPv+75lHPOegUcz64=
|
github.com/lightningnetwork/lnd/tor v1.0.2/go.mod h1:RDtaAdwfAm+ONuPYwUhNIH1RAvKPv+75lHPOegUcz64=
|
||||||
|
github.com/lightningnetwork/lnd/tor v1.1.0 h1:iXO7fSzjxTI+p88KmtpbuyuRJeNfgtpl9QeaAliILXE=
|
||||||
|
github.com/lightningnetwork/lnd/tor v1.1.0/go.mod h1:RDtaAdwfAm+ONuPYwUhNIH1RAvKPv+75lHPOegUcz64=
|
||||||
github.com/ltcsuite/ltcd v0.0.0-20190101042124-f37f8bf35796 h1:sjOGyegMIhvgfq5oaue6Td+hxZuf3tDC8lAPrFldqFw=
|
github.com/ltcsuite/ltcd v0.0.0-20190101042124-f37f8bf35796 h1:sjOGyegMIhvgfq5oaue6Td+hxZuf3tDC8lAPrFldqFw=
|
||||||
github.com/ltcsuite/ltcd v0.0.0-20190101042124-f37f8bf35796/go.mod h1:3p7ZTf9V1sNPI5H8P3NkTFF4LuwMdPl2DodF60qAKqY=
|
github.com/ltcsuite/ltcd v0.0.0-20190101042124-f37f8bf35796/go.mod h1:3p7ZTf9V1sNPI5H8P3NkTFF4LuwMdPl2DodF60qAKqY=
|
||||||
github.com/ltcsuite/ltcutil v0.0.0-20181217130922-17f3b04680b6/go.mod h1:8Vg/LTOO0KYa/vlHWJ6XZAevPQThGH5sufO0Hrou/lA=
|
github.com/ltcsuite/ltcutil v0.0.0-20181217130922-17f3b04680b6/go.mod h1:8Vg/LTOO0KYa/vlHWJ6XZAevPQThGH5sufO0Hrou/lA=
|
||||||
|
@ -13,5 +13,6 @@ type Tor struct {
|
|||||||
V2 bool `long:"v2" description:"Automatically set up a v2 onion service to listen for inbound connections"`
|
V2 bool `long:"v2" description:"Automatically set up a v2 onion service to listen for inbound connections"`
|
||||||
V3 bool `long:"v3" description:"Automatically set up a v3 onion service to listen for inbound connections"`
|
V3 bool `long:"v3" description:"Automatically set up a v3 onion service to listen for inbound connections"`
|
||||||
PrivateKeyPath string `long:"privatekeypath" description:"The path to the private key of the onion service being created"`
|
PrivateKeyPath string `long:"privatekeypath" description:"The path to the private key of the onion service being created"`
|
||||||
|
EncryptKey bool `long:"encryptkey" description:"Encrypts the Tor private key file on disk"`
|
||||||
WatchtowerKeyPath string `long:"watchtowerkeypath" description:"The path to the private key of the watchtower onion service being created"`
|
WatchtowerKeyPath string `long:"watchtowerkeypath" description:"The path to the private key of the watchtower onion service being created"`
|
||||||
}
|
}
|
||||||
|
2
lnd.go
2
lnd.go
@ -474,6 +474,8 @@ func Main(cfg *Config, lisCfg ListenerCfg, implCfg *ImplementationCfg,
|
|||||||
if torController != nil {
|
if torController != nil {
|
||||||
wtCfg.TorController = torController
|
wtCfg.TorController = torController
|
||||||
wtCfg.WatchtowerKeyPath = cfg.Tor.WatchtowerKeyPath
|
wtCfg.WatchtowerKeyPath = cfg.Tor.WatchtowerKeyPath
|
||||||
|
wtCfg.EncryptKey = cfg.Tor.EncryptKey
|
||||||
|
wtCfg.KeyRing = activeChainControl.KeyRing
|
||||||
|
|
||||||
switch {
|
switch {
|
||||||
case cfg.Tor.V2:
|
case cfg.Tor.V2:
|
||||||
|
11
server.go
11
server.go
@ -47,6 +47,7 @@ import (
|
|||||||
"github.com/lightningnetwork/lnd/keychain"
|
"github.com/lightningnetwork/lnd/keychain"
|
||||||
"github.com/lightningnetwork/lnd/kvdb"
|
"github.com/lightningnetwork/lnd/kvdb"
|
||||||
"github.com/lightningnetwork/lnd/lncfg"
|
"github.com/lightningnetwork/lnd/lncfg"
|
||||||
|
"github.com/lightningnetwork/lnd/lnencrypt"
|
||||||
"github.com/lightningnetwork/lnd/lnpeer"
|
"github.com/lightningnetwork/lnd/lnpeer"
|
||||||
"github.com/lightningnetwork/lnd/lnrpc"
|
"github.com/lightningnetwork/lnd/lnrpc"
|
||||||
"github.com/lightningnetwork/lnd/lnrpc/routerrpc"
|
"github.com/lightningnetwork/lnd/lnrpc/routerrpc"
|
||||||
@ -2766,13 +2767,21 @@ func (s *server) createNewHiddenService() error {
|
|||||||
listenPorts = append(listenPorts, port)
|
listenPorts = append(listenPorts, port)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
encrypter, err := lnencrypt.KeyRingEncrypter(s.cc.KeyRing)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
// Once the port mapping has been set, we can go ahead and automatically
|
// Once the port mapping has been set, we can go ahead and automatically
|
||||||
// create our onion service. The service's private key will be saved to
|
// create our onion service. The service's private key will be saved to
|
||||||
// disk in order to regain access to this service when restarting `lnd`.
|
// disk in order to regain access to this service when restarting `lnd`.
|
||||||
onionCfg := tor.AddOnionConfig{
|
onionCfg := tor.AddOnionConfig{
|
||||||
VirtualPort: defaultPeerPort,
|
VirtualPort: defaultPeerPort,
|
||||||
TargetPorts: listenPorts,
|
TargetPorts: listenPorts,
|
||||||
Store: tor.NewOnionFile(s.cfg.Tor.PrivateKeyPath, 0600),
|
Store: tor.NewOnionFile(
|
||||||
|
s.cfg.Tor.PrivateKeyPath, 0600, s.cfg.Tor.EncryptKey,
|
||||||
|
encrypter,
|
||||||
|
),
|
||||||
}
|
}
|
||||||
|
|
||||||
switch {
|
switch {
|
||||||
|
@ -98,6 +98,12 @@ type Config struct {
|
|||||||
// for a watchtower hidden service should be stored.
|
// for a watchtower hidden service should be stored.
|
||||||
WatchtowerKeyPath string
|
WatchtowerKeyPath string
|
||||||
|
|
||||||
|
// EncryptKey will encrypt the Tor private key on disk.
|
||||||
|
EncryptKey bool
|
||||||
|
|
||||||
|
// KeyRing is the KeyRing to use when encrypting the Tor private key.
|
||||||
|
KeyRing keychain.KeyRing
|
||||||
|
|
||||||
// Type specifies the hidden service type (V2 or V3) that the watchtower
|
// Type specifies the hidden service type (V2 or V3) that the watchtower
|
||||||
// will create.
|
// will create.
|
||||||
Type tor.OnionType
|
Type tor.OnionType
|
||||||
|
@ -6,6 +6,7 @@ import (
|
|||||||
|
|
||||||
"github.com/btcsuite/btcd/btcec/v2"
|
"github.com/btcsuite/btcd/btcec/v2"
|
||||||
"github.com/lightningnetwork/lnd/brontide"
|
"github.com/lightningnetwork/lnd/brontide"
|
||||||
|
"github.com/lightningnetwork/lnd/lnencrypt"
|
||||||
"github.com/lightningnetwork/lnd/tor"
|
"github.com/lightningnetwork/lnd/tor"
|
||||||
"github.com/lightningnetwork/lnd/watchtower/lookout"
|
"github.com/lightningnetwork/lnd/watchtower/lookout"
|
||||||
"github.com/lightningnetwork/lnd/watchtower/wtserver"
|
"github.com/lightningnetwork/lnd/watchtower/wtserver"
|
||||||
@ -163,14 +164,22 @@ func (w *Standalone) createNewHiddenService() error {
|
|||||||
listenPorts = append(listenPorts, port)
|
listenPorts = append(listenPorts, port)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
encrypter, err := lnencrypt.KeyRingEncrypter(w.cfg.KeyRing)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
// Once we've created the port mapping, we can automatically create the
|
// Once we've created the port mapping, we can automatically create the
|
||||||
// hidden service. The service's private key will be saved on disk in order
|
// hidden service. The service's private key will be saved on disk in order
|
||||||
// to persistently have access to this hidden service across restarts.
|
// to persistently have access to this hidden service across restarts.
|
||||||
onionCfg := tor.AddOnionConfig{
|
onionCfg := tor.AddOnionConfig{
|
||||||
VirtualPort: DefaultPeerPort,
|
VirtualPort: DefaultPeerPort,
|
||||||
TargetPorts: listenPorts,
|
TargetPorts: listenPorts,
|
||||||
Store: tor.NewOnionFile(w.cfg.WatchtowerKeyPath, 0600),
|
Store: tor.NewOnionFile(
|
||||||
Type: w.cfg.Type,
|
w.cfg.WatchtowerKeyPath, 0600, w.cfg.EncryptKey,
|
||||||
|
encrypter,
|
||||||
|
),
|
||||||
|
Type: w.cfg.Type,
|
||||||
}
|
}
|
||||||
|
|
||||||
addr, err := w.cfg.TorController.AddOnion(onionCfg)
|
addr, err := w.cfg.TorController.AddOnion(onionCfg)
|
||||||
|
Loading…
Reference in New Issue
Block a user