Forgive my ignorance, but can a lightning node work properly without access to the keys (I mean while the user is logged out, which would mainly be used to receive LN transactions)?
I know this kind of scheme works well for on-chain stuff, but I was under the impression that LN nodes have a more active role/job (such as monitoring channels and acting when the other end is acting maliciously).
Keys are in the cloud with wallet running 24/7. Access to the wallet is restricted by password
reply
Keys are in the cloud...running 24/7
That doesn't seem compatible with this:
The keys are encrypted by users password...Alby cannot....access funds in any way
If the keys are "active" 24/7, signing transactions and processing NWC requests, then they must be in plaintext, at the very least stored in the virtual machine's RAM, because an encrypted key can't sign anything, a key can only sign stuff once it's decrypted. And if the keys are stored unencrypted in RAM on your server so that the node can sign transactions then what's stopping you from reading that RAM?
reply
100 sats \ 3 replies \ @bumi 24 Jul
All data is encrypted and only decrypted to start the node in memory; nothing is on disk. But yes, this is similar to any hosting provider. If one has access to the machine and can read the RAM one could find keys. This gets a bit in the direction that if you don't build the software stack yourself and ideally build the hardware yourself nothing can be trusted. You might not use a hosting setup for your bitcoin stash - that's probably on a hardware wallet from a trustworthy vendor, potentially in a multisig. But it's a solution for your accessible lightning wallet to do all the exciting lightning things. Generally I guess the hosting is a bit comparable to voltage. Phoenixd also goes in the direction of an always-on, server node (afaik they don't encrypt the seed on disk).
We put a lot of work in to make it possible to run the Alby Hub everywhere that users can choose what works for them: this can be a Raspberry Pi Zero (some $20 hardware!), your desktop computer, your own server (e.g. we have docker and one-click deploys for hosters, too), etc.
reply
I think that's all wonderful and different solutions will work best for different folks. I am glad you are offering this service and I hope you make a lot of money from it and get a lot of users. But don't advertise it like voltage did early on: they frequently said their cloud-hosted option was self-custodial, but since they had an unencrypted copy of each user's private keys in their server's ram, these advertisements were lies. Similarly, I recommend not advertising the cloud-hosted option as self-custodial as long as you guys have an unencrypted copy of each user's private keys in your server's ram.
reply
141 sats \ 1 reply \ @bumi 24 Jul
I agree. this word has a bit of different meanings for different people. Ultimately it is a bit of a range and imo also it's about the context of usage and goal. I think so far the focus is on the Hub here I guess. The cloud hosting is an offer we provide. And the talk about unencrypted memory is a bit tricky imo and also quite different to persisted storage. but yes, it's a cloud setup where hosters put servers somewhere and run it for you.
I really appreciate this feedback we have to try to be very clear here and explain things well to users. thanks!
reply
142 sats \ 0 replies \ @bumi 24 Jul
btw. what I want to generally spend more time on is the talk about supply-chain attacks of wallets. It's potentially easier to compromise some dependency or a build than accessing some RAM on servers directly.
reply
Let me get someone technical to answer that 🙃
reply
I guess Alby has access to the keys then
reply
No, we don’t. We can request invoices that your node will pay. You can stop NWC connection to stop paying but then after some time we will close your cloud instance. You still can migrate your funds though with your keys.
reply
The upgrade page says this about the monthly subscription fee:
Amount will be deducted from your wallet balance once a month
How does that work?
reply
Cloud subscription is based on NWC connection.
If you run it on your own device/server, there's no subscription of course.
reply