#!/bin/bash # keeps the password in memory between restarts: /dev/shm/.${netprefix}cln.pw # does not store the password on disk unless auto-unlock is enabled # autounlock password is in /root/.${netprefix}cln.pw # command info if [ $# -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]||\ ! echo "$@" | grep -Eq "unlock|lock|encrypt|decrypt|autounlock-on|autounlock-off|change-password" ;then echo echo "# unlock/lock, encrypt, decrypt, set autounlock or change password for the hsm_secret" echo echo "# usage:" echo "# cln.hsmtool.sh [unlock|lock] [testnet|mainnet|signet]" echo "# cln.hsmtool.sh [encrypt|decrypt] [testnet|mainnet|signet]" echo "# cln.hsmtool.sh [autounlock-on|autounlock-off] [testnet|mainnet|signet]" echo "# cln.hsmtool.sh [change-password] [testnet|mainnet|signet]" echo exit 1 fi source /mnt/hdd/raspiblitz.conf source <(/home/admin/config.scripts/network.aliases.sh getvars cln $2) passwordFile=/dev/shm/.${netprefix}cln.pw if grep -Eq "${netprefix}clnEncryptedHSM=on" /mnt/hdd/raspiblitz.conf;then if grep -Eq "${netprefix}clnAutoUnlock=on" /mnt/hdd/raspiblitz.conf;then passwordFile=/root/${netprefix}cln.pw fi fi # add default value to raspi config if needed if ! grep -Eq "^${netprefix}clnEncryptedHSM=" /mnt/hdd/raspiblitz.conf; then echo "${netprefix}clnEncryptedHSM=off" >> /mnt/hdd/raspiblitz.conf fi # add default value to raspi config if needed if ! grep -Eq "^${netprefix}clnAutoUnlock=" /mnt/hdd/raspiblitz.conf; then echo "${netprefix}clnAutoUnlock=off" >> /mnt/hdd/raspiblitz.conf fi ############# # Functions # ############# function passwordToFile() { if [ $# -gt 0 ];then text="$1" else text="Type or paste the decryption password for the $CHAIN C-lightning wallet" fi # write password into a file (to be shredded) # get password data=$(mktemp -p /dev/shm/) # trap it trap 'rm -f $data' 0 1 2 5 15 dialog --clear \ --backtitle "Enter password" \ --title "Enter password" \ --insecure \ --passwordbox "$text" 8 52 2> "$data" # make decison pressed=$? case $pressed in 0) sudo touch $passwordFile sudo chmod 600 $passwordFile sudo chown bitcoin:bitcoin $passwordFile sudo tee $passwordFile 1>/dev/null < "$data" shred "$data";; 1) shred "$data" shred -uvz $passwordFile echo "# Cancelled" exit 1;; 255) shred "$data" shred -uvz $passwordFile [ -s "$data" ] && cat "$data" || echo "# ESC pressed." exit 1;; esac } function shredPasswordFile() { echo echo "# Shredding the passwordFile" echo sudo shred -uvz $passwordFile } function encryptHSMsecret() { sudo /home/admin/config.scripts/blitz.setpassword.sh x \ "Enter the password to encrypt the C-lightning wallet file (hsm_secret)" \ "$passwordFile" sudo chmod 600 $passwordFile sudo chown bitcoin:bitcoin $passwordFile (sudo cat $passwordFile;sudo cat $passwordFile) | sudo -u bitcoin \ /home/bitcoin/lightning/tools/hsmtool encrypt \ /home/bitcoin/.lightning/${CLNETWORK}/hsm_secret || exit 1 # setting value in raspiblitz config sudo sed -i \ "s/^${netprefix}clnEncryptedHSM=.*/${netprefix}clnEncryptedHSM=on/g" \ /mnt/hdd/raspiblitz.conf echo "# Encrypted the hsm_secret for C-lightning $CHAIN" } function decryptHSMsecret() { if [ ! -f $passwordFile ];then passwordToFile else echo "# Getting the password from $passwordFile" fi sudo cat $passwordFile | sudo -u bitcoin \ /home/bitcoin/lightning/tools/hsmtool decrypt \ /home/bitcoin/.lightning/${CLNETWORK}/hsm_secret || exit 1 shredPasswordFile # setting value in raspiblitz config sudo sed -i \ "s/^${netprefix}clnEncryptedHSM=.*/${netprefix}clnEncryptedHSM=off/g" \ /mnt/hdd/raspiblitz.conf echo "# Decrypted the hsm_secret for C-lightning $CHAIN" } ########### # Options # ########### if [ "$1" = "unlock" ]; then # getpassword if [ $(sudo journalctl -n5 -u ${netprefix}lightningd | \ grep -c 'encrypted-hsm: Could not read pass from stdin.') -gt 0 ];then if [ -f $passwordFile ];then echo "# Wrong passwordFile is present" else echo "# No passwordFile is present" fi passwordToFile sudo systemctl restart ${netprefix}lightningd # configure --encrypted-hsm elif [ $(sudo journalctl -n5 -u ${netprefix}lightningd | \ grep -c 'hsm_secret is encrypted, you need to pass the \--encrypted-hsm startup option.') -gt 0 ];then echo "# The hsm_secret encrypted, but unlock is not configured" passwordToFile # setting value in raspiblitz config sudo sed -i \ "s/^${netprefix}clnEncryptedHSM=.*/${netprefix}clnEncryptedHSM=on/g" \ /mnt/hdd/raspiblitz.conf /home/admin/config.scripts/cln.install-service.sh $CHAIN fi # check if unlocked attempt=0 while [ $($lightningcli_alias getinfo | grep -c '"id":') -eq 0 ];do if [ $(sudo journalctl -n5 -u ${netprefix}lightningd | \ grep -c 'Wrong password for encrypted hsm_secret.') -gt 0 ];then echo "# Wrong password" sudo rm -f $passwordFile passwordToFile "Wrong password - type the decryption password for the $CHAIN C-lightning wallet" sudo systemctl restart ${netprefix}lightningd elif [ $attempt -eq 12 ];then echo "# Failed to unlock the ${netprefix}lightningd wallet - giving up after 1 minute" echo "# Check: sudo journalctl -u ${netprefix}lightningd" exit 1 fi echo "# Waiting to unlock wallet ... " sleep 5 attempt=$((attempt+1)) done echo "# Ok the ${netprefix}lightningd wallet is unlocked" exit 0 elif [ "$1" = "lock" ]; then shredPasswordFile sudo systemctl restart ${netprefix}lightningd exit 0 elif [ "$1" = "encrypt" ]; then encryptHSMsecret elif [ "$1" = "decrypt" ]; then decryptHSMsecret elif [ "$1" = "autounlock-on" ]; then if grep -Eq "${netprefix}clnEncryptedHSM=on" /mnt/hdd/raspiblitz.conf;then echo "# Moving the password from $passwordFile" sudo -u bitcoin mv /dev/shm/.${netprefix}cln.pw /root/.${netprefix}cln.pw else passwordFile=/root/.${netprefix}cln.pw passwordToFile fi # setting value in raspiblitz config sudo sed -i \ "s/^${netprefix}clnAutoUnlock=.*/${netprefix}clnEncryptedHSM=on/g" \ /mnt/hdd/raspiblitz.conf echo "# Autounlock is on for C-lightning $CHAIN" elif [ "$1" = "autounlock-off" ]; then sudo -u bitcoin mv /root/.${netprefix}cln.pw /dev/shm/.${netprefix}cln.pw # setting value in raspiblitz config sudo sed -i \ "s/^${netprefix}clnAutoUnlock=.*/${netprefix}clnEncryptedHSM=off/g" \ /mnt/hdd/raspiblitz.conf echo "# Autounlock is off for C-lightning $CHAIN" elif [ "$1" = "change-password" ]; then decryptHSMsecret || exit 1 if ! encryptHSMsecret;then echo "# Warning: the hsm_secret is left unencrypted." echo "# To fix run:" echo "/home/admin/config.scripts/cln.hsmtool encrypt $2" exit 1 fi exit 0 else echo "# Unknown option - exiting script" exit 1 fi # set the lightnind service file after all choices /home/admin/config.scripts/cln.install-service.sh $CHAIN