As title says I am concerned regarding funding lightning node with any significant amount because if thief take the server he only need to flash StartOS on USB drive and reset password following this guide: https://docs.start9.com/0.3.5.x/misc-guides/reset-password
If this is correct, can I disable password reset feature for my StartOS server. This means that in case that I lost my master password I can only use channel backup file and seed to restore funds on chain?
Also, if I am correct thief can attach data drive to his PC and decrypt the drive following this guide: Start9 | Mount a Data Drive
Default password is: password.
He only need to copy files from /embassy-data/package-data/volumes/c-lightning/data/main/bitcoin (CLN) or /embassy-data/package-data/volumes/lnd/data/main/data (LND) and restore it on the new node.
Is it possible to replace default password(password) of the crypto_LUKS filesystem with for example, master password of StartOS.
Ideally, in my opinion, your principle worry is preventing thieves from entering your home to take your server, etc. Whether its your server, or your hardware wallet, no measures while someone has physical access to your device are really anything other than a delay to a thief having access to everything.
No, it’s not possible to change the default LUKS password at this time. It may be in the future. This is a trade off between preventing people form losing their funds with hardware failures and forgotten passwords and preventing casual thieves from accessing data.
It makes sense, but I believe that LND and CLN wallets need to have option to encrypt them for users that want that. So when LND start it starts locked and is also encrypted at rest.
Perhaps something like that could be added on the OS level, but it would be fairly complicated and perhaps lower priority to add in light of all the other features we have to implement… it might not make the cut for one reason though… that unexpected restarts of the server might leave LND or CLN offline until someone notices, putting funds at risk. But it’s and interesting idea.
I want to migrate my routing node from Raspiblitz, but wallet need to be locked in rest.
StartOS is running on new machine with LND installed, but not started yet.
After migration of LND by using StartOS default procedure I only need to delete pwd.dat?
/embassy-data/package-data/volumes/lnd/data/main# sudo rm pwd.dat
After that in case that server reboots i will need to SSH in server and manually unlock the wallet:
sudo podman exec -it lnd.embassy lncli --rpcserver lnd.embassy unlock
This is it?
Only error I am seeing now in the LND log file is (haven’t migrated anything, just started LND to play with it):
2025-03-07T12:25:48+01:00 2025-03-07 11:25:48.781 [ERR] RPCS: [/lnrpc.WalletUnlocker/GenSeed]: wallet already unlocked, WalletUnlocker service is no longer available
2025-03-07T12:25:48+01:00 Waiting for RPC to start…
Not exactly… you’d install LND, not start it, then run the “Import from RaspiBlitz” action. That’s it. This will copy over the channels db and also add the correct values into pwd.dat
If you’d like to see how the script works, you can review it here:
I have removed pwd.dat and from now on will need to enter LND password every time service restart.
Everything is working. In RTL all channels are here and onchain funds.
The only error reported in LND log (repeats every 5 seconds) is:
[ERR] RPCS: [/lnrpc.WalletUnlocker/GenSeed]: wallet already unlocked, WalletUnlocker service is no longer available
Waiting for RPC to start…
I’m not entirely sure why some part of LND things it needs to generate a seed. It would have to be related to one of the additional steps you went through for your particular case.
I’d save the LND config, let the service restart, and see if it goes away. If not, you might need to ask the LND devs what we’re not seeing.
I have restarted server and unlocked it via ssh, but error is repeating, although I don’t see it causing any problem.
Sorry to burden you with this, but can you please show me how to start LND service ( just as click on the START button in the app ) via SSH in terminal?