[tor] Add ability to encrypt the Tor private key on disk #4458
Conversation
wpaulino
added
enhancement
|
Discussion question: In this implementation, if LND is started with |
gkrizek
force-pushed
the
encrypt-tor-privatekey
branch
from
8dc7725 to
7913317
Compare
Roasbeef
requested review from
Crypt-iQ
and removed request for
Roasbeef and
cfromknecht
There was a problem hiding this comment.
However, if LND was later started without the --tor.encryptkey it would write the key to disk in plaintext (because it wasn't instructed to encrypt it). Is this the best behavior? Should we always save the key in an encrypted format if the flag is passed and never let it be stored in plaintext?
In that case, a user-friendly error can be returned to prevent startup noting that the private key is encrypted and the flag should be toggled to continue. In the future, we may want to consider toggling the flag by default, but that'd be a breaking change.
gkrizek
force-pushed
the
encrypt-tor-privatekey
branch
from
7913317 to
a17c609
Compare
|
Thanks for the review, @wpaulino! I've addressed your comments, PTAL. I also added a condition if the Tor private key is encrypted but LND doesn't have |
gkrizek
force-pushed
the
encrypt-tor-privatekey
branch
from
a17c609 to
bb3365e
Compare
gkrizek
force-pushed
the
encrypt-tor-privatekey
branch
from
bb3365e to
dde6f61
Compare
|
@gkrizek the linter reported some failures. Could you address those? |
gkrizek
force-pushed
the
encrypt-tor-privatekey
branch
from
dde6f61 to
1e239ec
Compare
|
@wpaulino Addressed. |
gkrizek
force-pushed
the
encrypt-tor-privatekey
branch
from
1e239ec to
7d3c553
Compare
|
Reviewing now |
gkrizek
force-pushed
the
encrypt-tor-privatekey
branch
from
9f777c3 to
430c1fc
Compare
|
ping. I think this would still be valuable. |
|
In some cases I could see this being valuable, like if there happened to be a remote file-system leak vulnerability in lnd. But IMO our code isn't complex enough to have one of those bugs. That leaves us in the realm of access to the machine that lnd is running on. If somebody has access to the machine, it is already game over as they could dump the memory of the running process if they have privileges. If they don't, they could perform any one of the well-documented side-channel attacks that exist. For those reasons I'm not sure it makes sense to give users a false sense of security at the cost of increased code complexity. |
There was a problem hiding this comment.
I think this is a nice security feature and makes sense to add.
Did a high-level pass and things look pretty good functionality wise (didn't run any manual tests yet, will do so in the second pass). But there are quite a few style related comments, also from previous reviewers. I think in general the commits should be smaller too.
Will do a second pass once the commit structure is cleaned up a bit.
…its own package called lnencrypt The functions inside of the crypto.go file in chanbackup (like EncryptPayloadToWriter and DecryptPayloadFromReader) can be used by a lot of things outside of just the chanbackup package. We can't just reference them directly from the chanbackup package because it's likely that it would generate circular dependencies. Therefore we need to move these functions into their own package to be referenced by chanbackup and whatever new functionality that needs them
gkrizek
force-pushed
the
encrypt-tor-privatekey
branch
from
430c1fc to
8129b6a
Compare
…ity to encrypt the Tor private key on disk It's possible that a user might not want the Tor private key to sit on the disk in plaintext (it is a private key after all). So this commit adds a new flag to encrypt the Tor private key on disk using the wallet's seed. When the --tor.encryptkey flag is used, LND will still write the Tor key to the same file, however it will now be encrypted intead of plaintext. This essentially uses the same method to encrypt the Tor private key as is used to encrypt the Static Channel Backup file.
gkrizek
force-pushed
the
encrypt-tor-privatekey
branch
from
8129b6a to
a9fcaea
Compare
|
@guggero, @orbitalturtle has addressed all your comments. Please take another look. Thanks! |
| @@ -188,7 +190,7 @@ func assertMultiEqual(t *testing.T, a, b *Multi) { | |||
| func TestExtractMulti(t *testing.T) { | |||
| t.Parallel() | |||
|
|
|||
| keyRing := &mockKeyRing{} | |||
| keyRing := &lnencrypt.MockKeyRing{} | |||
There was a problem hiding this comment.
Can't we move to the mock.MockKeyRing here directly? Instead of creating a new one and then moving away from that in a later commit?
There was a problem hiding this comment.
Ah yes so I think I was attempting to split out the mock key change into a new PR as requested here #4458 (comment)
But perhaps it'd be better to resquash it into one commit? Thoughts?
|
|
||
| // NewOnionFile creates a file-based implementation of the OnionStore interface | ||
| // to store an onion service's private key. | ||
| func NewOnionFile(privateKeyPath string, privateKeyPerm os.FileMode, |
There was a problem hiding this comment.
Now we still have two OnionFile structs. Can't this be integrated into the existing one? It seems we just add two new parameters and some additional logic. Or is the idea to remove the tor.OnionFile since it's not used anymore? I think the diff could be way smaller if we just integrated this new code into the existing struct.
There was a problem hiding this comment.
Yes deleted original onionfile in the Tor package. Moved the onionfile to a new package based on the convo in here: #4458 (comment)
There was a problem hiding this comment.
Ooooohhhh, I see now. Yeah I never deleted the OnionFile data in cmd_onion. Will fix that !
|
Replaced by #6500. |
It's possible that a user might not want the Tor private key to sit on the disk in plaintext (it is a private key after all). So this commit adds a new flag to encrypt the Tor private key on disk using the wallet's seed. When the
--tor.encryptkeyflag is used, LND will still write the Tor key to the same file, however it will now be encrypted instead of plaintext. This essentially uses the same method to encrypt the Tor private key as is used to encrypt the Static Channel Backup file.Summary of Changes:
crypto.gofile fromchanbackupinto its own package calledlnencrypt.This was needed because we can't directly reference the
encryptPayloadToWriteranddecryptPayloadFromReaderfunctions from thechanbackuppackage due to circular dependency issues. Also, I think it's very likely that future enhancements will also want to use these same functions. Thus I've moved them to their own package.--tor.encryptkeywhich encrypts the Tor private key.When this is set it encrypts the private key and writes the encrypted blob to the same file on disk. This allows users to still keep the same functionality and flows as before (like refreshing a hidden service), but adds protection when running in untrusted environments.