LND Node

lnd node security comprehensive guide to securing your lightning node on voltage overview lnd implements multiple layers of security to protect your funds and node operations this document covers the key security components seed phrase management, wallet encryption, authentication via tls and macaroons, and channel backups understanding these components is essential for securely operating a lightning node seed phrase aezeed format lnd uses a 24 word seed phrase based on the custom aezeed cipher seed scheme rather than the standard bip39 mnemonic aezeed introduces two important features versioning enables future proof key derivation and wallet upgrades birthday timestamp limits how far back the blockchain needs to be scanned on recovery, significantly speeding up the process the aezeed seed phrase is an encrypted mnemonic the 24 words encode ciphertext (not plaintext entropy) and can include an optional passphrase for added security if a passphrase is set during wallet creation, it will be required to decrypt the cipher seed and derive the wallet keys accessing your seed phrase on voltage to access your seed phrase in the voltage dashboard navigate to your node dashboard click backup & export select seed phrase backup click reveal seed phrase store your seed phrase offline in a secure location never store it on an internet connected device this seed phrase is the ultimate backup of all your wallet keys recovery considerations if you need to recover funds externally from voltage, the process depends on what type of funds you're recovering on chain funds only (seed phrase) deploy a new lnd lightning node and enter your seed phrase at startup lnd will scan the blockchain and recover any on chain utxos on chain + lightning channel funds (seed phrase + scb) deploy a new lnd node with your seed phrase import your static channel backup using restorechanbackup lnd will contact channel counterparties and initiate force closes channel funds will be returned to your on chain wallet after the timelock expires critical warnings the original node must be turned off before recovery and never turned on again running two instances of the same node simultaneously can lead to data corruption and potential loss of funds scb recovery closes all channels permanently—this is a last resort recovery method, not a migration tool without a static channel backup scb, lightning channel funds cannot be reliably recovered always maintain an up to date backup of your channel backup file voltage scb management voltage automatically generates and updates your scb file whenever you open or close a channel https //docs voltageapi com/lnd node#y4hy4 node password and wallet encryption understanding the node password when you deploy an lnd node on voltage, you set a node password (minimum 8 characters) this password serves a critical security function it encrypts all sensitive wallet data stored on disk, including the hd seed and private keys key points about the node password it is not stored on voltage servers and cannot be recovered if lost required for all administrative functions in the dashboard ui required every time the node restarts to transition from "waiting unlock" to "running" state uses aes 256 encryption for securing credentials password vs seed passphrase the wallet password is distinct from the seed phrase's optional passphrase credential purpose when used wallet password encrypts wallet data on disk every node startup and admin action seed passphrase (optional) encrypts the mnemonic backup wallet creation and recovery only both are needed in scenarios where a cipher passphrase was used during wallet creation encryption details when creating nodes via the voltage dashboard, credentials are encrypted client side before backup this allows voltage to display connection information and provide functionality without ever being able to access your actual credentials lnd uses scrypt with modern parameters for key derivation, protecting against brute force attempts auto unlock for production deployments requiring automated restarts, you can enable auto unlock via webhooks see the https //docs voltage cloud/webhooks documentation for setup instructions macaroons (api authentication) macaroons are lnd's native permission token scheme for api authentication and access control they are cryptographically secured tokens that grant specific permissions without requiring the wallet password or seed default macaroon types on wallet initialization, lnd generates three macaroon files macaroon permissions admin macaroon full access to all rpc methods readonly macaroon read only access; cannot initiate transactions or modify state invoice macaroon invoice and payment creation only security considerations macaroons are tied to a root key stored in the wallet database anyone with your admin macaroon (and tls certificate access) can act as your node over rpc treat macaroon files like passwords; never share the admin macaroon publicly use least privilege macaroons (readonly or invoice) for applications that don't need full access the macaroon root key can be rotated via the changepassword rpc, invalidating all existing macaroons api access (without node password) when using the voltage api directly, the node password is not required authentication uses the macaroon and api endpoint instead, allowing programmatic access without exposing the wallet password tls certificates lnd uses tls certificates to secure all rpc and rest api connections by default, lnd generates a self signed certificate (tls cert) and private key (tls key) on first startup voltage tls handling voltage nodes use ca signed tls certificates instead of self signed certificates this means no tls cert required for api requests standard http clients (browsers, fetch, curl) will trust the connection automatically since the certificate is signed by a recognized certificate authority simplified integration you only need your macaroon and api endpoint to connect—no certificate configuration required some applications still require it certain lnd tools (like lightning terminal) may still require the tls certificate file for grpc connections if needed, you can download your node's tls certificate from the connect section in your voltage dashboard self hosted lnd nodes (for reference) for self hosted lnd nodes using the default self signed certificates all connections must be tls encrypted clients must have the tls cert file to verify the node's identity the tls key must remain private; if compromised, an attacker could impersonate your node's rpc server certificates auto regenerate on expiration (default 14 months) static channel backups (scb) lnd supports static channel backups to help recover funds if your node is lost or corrupted scbs contain encrypted snapshots of channel information needed to initiate recovery how scb works lnd maintains a channel backup file containing encrypted backup data for each channel the backup is encrypted with a key derived from your seed phrase updated automatically whenever channels are opened or closed contains channel funding outpoints, peer node ids, and recovery scripts voltage scb management voltage automatically generates and updates your scb file whenever you open or close a channel you can download manually access your current backup anytime from the backup & export section in your node dashboard automate programmatically use lnd's subscribechannelbackups endpoint to stream real time backup updates to your own storage system rest get /v1/channels/backup/subscribe grpc subscribechannelbackups this streaming endpoint pushes an updated multi channel backup each time your channel state changes, enabling automated off site backup workflows recovery process recovering from catastrophic failure requires two pieces your 24 word seed phrase your static channel backup file with these, you can recreate your wallet on a fresh node and use restorechannelbackups to recover funds lnd will contact channel counterparties and request cooperative force closes, returning funds to your on chain wallet scb recovery is a one shot process after recovery, channels are closed and channel relationships are terminated back up your channel backup file to an off site location startup and unlock process first time initialization on first start, lnd runs in a special mode waiting for wallet setup the wallet unlocker service is exposed on the rpc port user provides a wallet password and either generates a new seed or inputs an existing one lnd derives bip32 master keys, encrypts them, and initializes wallet structures tls certificate and macaroons are generated full lnd services start up subsequent startups each restart, lnd begins in a locked state only the wallet unlocker service is active until the correct password is provided this ensures that if an attacker gains file access while the node is off, they cannot read the keys without the password secure data storage lnd stores sensitive data in several locations, each with specific security characteristics file contents security wallet db encrypted hd seed, private keys, macaroon root key encrypted with wallet password channel db channel states, network graph, peer info not encrypted (no private keys) channel backup static channel backup for recovery encrypted with seed derived key macaroon api authentication tokens secured by root key in wallet db tls cert / tls key tls certificate and private key protected by file permissions security best practices strong passwords use unique, complex passwords for both wallet password and any seed passphrase offline seed storage store your 24 word seed phrase offline and don't pull down backup until you are ready to secure regular backups back up your channel backup file to secure off site storage whenever channels change least privilege access use readonly or invoice macaroons for applications that don't need full control file permissions ensure only the node operator can read tls and macaroon files network isolation don't expose rpc ports publicly; use secure tunnels when remote access is needed credential rotation rotate macaroon root keys if you suspect compromise additional resources https //docs lightning engineering/lightning network tools/lnd/macaroons https //docs lightning engineering/lightning network tools/lnd/disaster recovery https //docs voltage cloud/webhooks https //api lightning community