Stadicus/LND Auto Unlock

## LND Auto Unlock
### (Optional) Autounlock LND wallet

Since version 0.13, LND can read the wallet password from a file.
There are many options to (more or less) securely store the password in a file.
LND [describes two options](https://github.com/lightningnetwork/lnd/blob/master/docs/wallet.md#auto-unlocking-a-wallet): an easy but insecure one, and a more secure option using additional software like a password mangager.

We explain an easy approach that is pretty secure for remote attacks (the main threat in our opinion), but not very secure if someone gains physical access to your RaspiBolt node. The main advantage of this method is that only the `root` user has access to the password, and it is exposed to the `bitcoin` group on startup in memory only.

* As user "admin", create a new directory, prepare it and create an empty file to which only `root` has access

  ```sh
  $ sudo mkdir -m 700 /etc/lnd
  $ sudo chown root:root /etc/lnd
  $ sudo install -o root -g root -m 600 -T /dev/null /etc/lnd/pwd
  ```

* Open the file and enter your LND `password [C]`
  ```sh
  $ sudo nano /etc/lnd/pwd
  ```

* Create a shell script that will expose the password to the file `/run/lndpass` stored in memory on startup, and make it executable for `root` only.

  ```sh
  $ sudo nano /etc/lnd/wallet-unlock-tmpfs.sh
  ```
  ```sh
  #!/bin/sh
  install -o root -g bitcoin -m 640 -T /dev/null /run/lndpass
  cat /etc/lnd/pwd > /run/lndpass
  ```
  ```sh
  $ sudo chmod 700 /etc/lnd/wallet-unlock-tmpfs.sh
  ```

* Change the "Service execution" section in the LND systemd unit as shown below.
  The `=+` used to start the shell script instructs systemd to run this script as `root`, while LND is started using the `bitcoin` user.
  This prevents direct access of LND (or any other program not running as `root`) to the source password file.
  After LND is started, systemd waits for 10 seconds and then deletes the temporary password file.

  ```sh
  $ sudo nano /etc/systemd/system/lnd.service
  ```
  ```ìni
  # Service execution
  ###################

  #ExecStart=/usr/local/bin/lnd

  ExecStartPre=+/etc/lnd/wallet-unlock-tmpfs.sh
  ExecStart=/usr/local/bin/lnd --wallet-unlock-password-file=/run/lndpass --wallet-unlock-allow-create
  ExecStartPost=/bin/sleep 10
  ExecStartPost=+rm -f /run/lndpass
  ```

* Update the systemd unit and restart LND

  ```sh
  $ sudo systemctl daemon-reload
  $ sudo systemctl restart lnd
  ```

* Check the LND logs if the wallet is successfully unlocked (exit with `Ctrl-C`).
  Additionally, if you can query LND for basic info, then the wallet is unlocked for sure.

  ```sh
  $ sudo journalctl -f -u lnd
  $ lncli getinfo
  ```
	### (Optional) Autounlock LND wallet

	Since version 0.13, LND can read the wallet password from a file.
	There are many options to (more or less) securely store the password in a file.
	LND [describes two options](https://github.com/lightningnetwork/lnd/blob/master/docs/wallet.md#auto-unlocking-a-wallet): an easy but insecure one, and a more secure option using additional software like a password mangager.

	We explain an easy approach that is pretty secure for remote attacks (the main threat in our opinion), but not very secure if someone gains physical access to your RaspiBolt node. The main advantage of this method is that only the `root` user has access to the password, and it is exposed to the `bitcoin` group on startup in memory only.

	* As user "admin", create a new directory, prepare it and create an empty file to which only `root` has access

	```sh
	$ sudo mkdir -m 700 /etc/lnd
	$ sudo chown root:root /etc/lnd
	$ sudo install -o root -g root -m 600 -T /dev/null /etc/lnd/pwd
	```

	* Open the file and enter your LND `password [C]`
	```sh
	$ sudo nano /etc/lnd/pwd
	```

	* Create a shell script that will expose the password to the file `/run/lndpass` stored in memory on startup, and make it executable for `root` only.

	```sh
	$ sudo nano /etc/lnd/wallet-unlock-tmpfs.sh
	```
	```sh
	#!/bin/sh
	install -o root -g bitcoin -m 640 -T /dev/null /run/lndpass
	cat /etc/lnd/pwd > /run/lndpass
	```
	```sh
	$ sudo chmod 700 /etc/lnd/wallet-unlock-tmpfs.sh
	```

	* Change the "Service execution" section in the LND systemd unit as shown below.
	The `=+` used to start the shell script instructs systemd to run this script as `root`, while LND is started using the `bitcoin` user.
	This prevents direct access of LND (or any other program not running as `root`) to the source password file.
	After LND is started, systemd waits for 10 seconds and then deletes the temporary password file.

	```sh
	$ sudo nano /etc/systemd/system/lnd.service
	```
	```ìni
	# Service execution
	###################

	#ExecStart=/usr/local/bin/lnd

	ExecStartPre=+/etc/lnd/wallet-unlock-tmpfs.sh
	ExecStart=/usr/local/bin/lnd --wallet-unlock-password-file=/run/lndpass --wallet-unlock-allow-create
	ExecStartPost=/bin/sleep 10
	ExecStartPost=+rm -f /run/lndpass
	```

	* Update the systemd unit and restart LND

	```sh
	$ sudo systemctl daemon-reload
	$ sudo systemctl restart lnd
	```

	* Check the LND logs if the wallet is successfully unlocked (exit with `Ctrl-C`).
	Additionally, if you can query LND for basic info, then the wallet is unlocked for sure.

	```sh
	$ sudo journalctl -f -u lnd
	$ lncli getinfo
	```