Hey there,
Graham here, the CEO of Voltage. This is a big question with many parts but I’ll try to answer the best I can (it’s going to be long). There’s two very different pieces of this question, the regulation aspect and the technology & custodianship. First off, the definition of custodianship is somewhat murky. There’s always a “yeah, but” to it. Before Bitcoin, your options were to hold cash or put it in a bank (custody). Now we have an amazing new technology that gives us the benefits of those bank type solutions (and more) with an entirely new way to control our money. The invention of Bitcoin has made custody not so black and white. There’s the really obvious example of custodians, like Wallet of Satoshi, then there’s things like trusted swap providers. Are those custodial because they own user funds while swapping? There is a huge spectrum to this from your own cold storage to Coinbase. To your point, if Chase bank uses AWS for hosting and AWS could get into their RDS instances to get user credentials or move money, does that make them a custodian? I’d say no, but they’d probably be considered a trusted 3rd party. The biggest conversation here is really around Trust.
For the technology aspect, it’s impossible to do hosting without trust. You gotta trust GoDaddy to keep your website up. No matter the provider (Voltage, Greenlight, etc) you gotta trust the provider to keep the node online. You gotta trust the provider to do the right thing and keep things secure. At Voltage we’ve gone to great lengths to achieve this. We’ve submitted many PRs to LND to enhance its security, like TLS key encryption, Tor key encryption, and more. We aren’t just throwing LND on some VPS and calling it good. There’s no sensitive data on disks or in our databases that’s readable by us. We do keep encrypted backups of some things like seeds and macaroon, but those are encrypted client-side so we never know them. Now, one of your points is around keys for a lightning node. Node keys live encrypted in the node’s database. When a node starts up it must be unlocked by the user with a password that they’ve set and we don’t know. At that time the keys are held inside of the LND process for the duration that process is living. The memory itself from the underlying server is encrypted as well with keys Voltage does not have access to, so the node keys are never living outside of an encrypted space. Of course, some people might want keys running in a different location, ala Remote Signing. This is a great start, but doesn’t fully remove trust from the hosting provider. In today’s remote signing implementations, you still have to trust the hosting provider that the requests that are being sent to the signer are honest. Even with a Watchtower, if your hosting provider is running the Node and Watchtower, then they just shut down the Watchtower and broadcast an old state. To get to the most trustless deployment of ‘node in the cloud and signing outside the node’ you’ll have to run a Bitcoin full node on the signer as well as the node to verify everything. This gets very complicated very fast and a million different ways to deploy these things. In summary, if you want trustless and totally ‘noncustodial’ you gotta do it all yourself. From there, there’s a huge spectrum of trust tradeoffs that just go back to the individual to decide. We offer remote signing as well as other providers, so everyone’s just gotta do what’s best for them. Final point on this is, we’re working hard to make all this better. More hosting options, more signing options, etc. The nodes product we have today is very much a ‘v1’ and the nodes product we’ll have in the months and years to come will be very different.
Now the regulation piece. We’re operating in a brand new space and all of Bitcoin is moving faster than the law can keep up. We have a legal team we work with and we feel totally fine on our regulatory position. Additionally, it’s something we always keep our eyes on. I don’t think there’s any ‘time bomb’ there, especially when you see the other products and services out there. I won’t name names to be respectful, but there’s lots of Bitcoin companies that are very clearly MSBs and are operating without the proper licensing. We’ve got a lot of armchair lawyers in Bitcoin and ultimately it’s up to each company to consult their own legal team, abide by the law the best they can, and watch for clarity as it comes.
Again, this is a big topic and I can rant on, but I’ll stop there. I think the main part of your question was around VPS hosts and what happens when you put your Bitcoin keys on it. I think that depends on a ton of factors, but for us, we try to encrypt everywhere so it's more than a standard VPS deployment. There’s trust and tradeoffs all over the place, everyones just gotta find their balance.
Thanks for the thoughtful answer Graham! There's a meme in the air that all hosting is bad. The reality is that every deployment model has trade-offs and where and how you deploy can be a nuanced answer depending on what you're trying to achieve. For a great many usecases, running a lightning node on a managed hosting provider lands on the right side of the balance.
reply
Couldn't have gotten a better answer. Very well written!
reply