Lightning Vault - how to manage secrets in the cloud
A better way to securely handle lightning node credentials in the cloud
Making internet-connected software secure is hard. Securing applications that handle money is even harder and that much more important. If that money is actual permissionless money that enables instant settlement and doesn’t have any centralized party that could revert transactions and get your money back then the security of it is one of the cornerstones.
While we would all prefer to host our lightning nodes in our fortified citadels the reality is that this is not always possible or feasible. From the stats, more than half of network capacity is hosted on either AWS or GCP, and we at bolt.observer are among those.
While having your keys on a 3rd party cloud is far from ideal there are a lot of other risk factors one needs to consider while developing applications around lightning network. You can keep your keys safe but if your macaroons get exposed you can still lose your funds. With the rising tide of new projects in the space this is more important than ever.
Secure management of secrets is a big field in IT, and many solutions have become an industry standard in the broader IT ecosystem. One of the principles for tackling this problem is using rotating secrets which solves at least two problems. First, everyone sharing the same password, it is written down and possibly even committed in source control repositories. The second one is that in the case of your application being hacked or your credentials being leaked somehow is that they are short-lived.
With this in mind, we developed a tool for our internal use at bolt.observer. We are releasing it into the wild today to help other companies and individuals in the space build better and more secure applications - introducing Lightning Vault.
Lightning Vault is a cloud secrets manager for lightning node authentication tokens on AWS. Currently, it supports macaroons (lnd) but we're expanding it to runes (cln) in the near future.
How it works
Lightning vault utilizes AWS Secrets Manager to store your macaroons. You can read more about the security model of it here. Vault is essentially an API layer that sits on top of Secrets Manager to provide macaroon issuance and rotation. It is written in Go and currently supports 3 different time horizons for secrets - 10 minutes, 1 hour, and 1 day.
An example of how you'd design your infrastructure to incorporate Lightning Vault:
Privileged cluster consists of several vault instances for redundancy and it’s the only service that has access to Secrets Manager. It is only accessible on the internal network with only API exposed to the application cluster, thus separating access to secrets and minimizing threat surface.
The API for Lightning Vault is simple and we included examples in python and Go, with internal Go library for interacting with Lightning Vault.
Vault supports multiple authentication methods that might fit into different scenarios and use-cases. You can use the standard HTTP Basic Auth or make use of Amazon’s Signed Requests to leverage IAM.
Example of interacting with Lightning Vault, how to run and configure it can be found here.
We created this tool for our internal needs but it could easily be expanded to support different cloud providers like GGP Secret manager or hardware HSM solutions to serve different needs. If anyone would like to integrate it with a different storage please reach out, we’re happy to assit. All pull requests and comments are of course welcome.