From 2246a060850832114ab4eda22551d494045f3c7f Mon Sep 17 00:00:00 2001 From: openoms Date: Thu, 2 Sep 2021 16:25:58 +0100 Subject: [PATCH 1/5] clnRepair: set wallet unencrypted after reset --- home.admin/99clnRepairMenu.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/home.admin/99clnRepairMenu.sh b/home.admin/99clnRepairMenu.sh index d384dfc49..ad25e233e 100644 --- a/home.admin/99clnRepairMenu.sh +++ b/home.admin/99clnRepairMenu.sh @@ -95,8 +95,17 @@ case $CHOICE in # reset sudo rm /home/bitcoin/.lightning/${CLNETWORK}/hsm_secret sudo rm /home/bitcoin/.lightning/${CLNETWORK}/*.* + # make sure the new hsm_secret is treated as unencrypted and clear autounlock + sudo sed -i \ + "s/^${netprefix}clnEncryptedHSM=.*/${netprefix}clnEncryptedHSM=off/g" \ + /mnt/hdd/raspiblitz.conf + sudo sed -i \ + "s/^${netprefix}clnAutoUnlock=.*/${netprefix}clnEncryptedHSM=off/g" \ + /mnt/hdd/raspiblitz.conf # new /home/admin/config.scripts/cln.hsmtool.sh new $CHAIN + # set the lightningd service file + /home/admin/config.scripts/cln.install-service.sh $CHAIN ;; FILERESTORE) From ccda78fe5f579fde05fb7062c074aa5033f035fc Mon Sep 17 00:00:00 2001 From: openoms Date: Thu, 2 Sep 2021 16:28:04 +0100 Subject: [PATCH 2/5] cln.hsmtool: set conf if wallet is not encrypted --- home.admin/config.scripts/cln.hsmtool.sh | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/home.admin/config.scripts/cln.hsmtool.sh b/home.admin/config.scripts/cln.hsmtool.sh index 8ff414bd1..c2ca81d19 100644 --- a/home.admin/config.scripts/cln.hsmtool.sh +++ b/home.admin/config.scripts/cln.hsmtool.sh @@ -130,9 +130,21 @@ function decryptHSMsecret() { else echo "# Getting the password from $passwordFile" fi + trap 'rm -f "$output"' EXIT + output=$(mktemp -p /dev/shm/) sudo cat $passwordFile | sudo -u bitcoin \ /home/bitcoin/lightning/tools/hsmtool decrypt \ - $hsmSecretPath || exit 1 + "$hsmSecretPath" 2> "$output" + if [ "$(grep -c "hsm_secret is not encrypted" < "$output")" -gt 0 ];then + echo "# The hsm_secret is not encrypted" + echo "# Continue to record in the raapiblitz.conf" + else + cat "$output" + # try again then exit + sudo cat $passwordFile | sudo -u bitcoin \ + /home/bitcoin/lightning/tools/hsmtool decrypt \ + "$hsmSecretPath" || exit 1 + fi shredPasswordFile # setting value in raspiblitz config sudo sed -i \ @@ -342,5 +354,5 @@ else exit 1 fi -# set the lightnind service file after all choices unless exited before +# set the lightningd service file after all choices unless exited before /home/admin/config.scripts/cln.install-service.sh $CHAIN From 6d52f742f3efc3a17a4ef78526158ddd7d0d1fd4 Mon Sep 17 00:00:00 2001 From: openoms Date: Thu, 2 Sep 2021 19:43:26 +0100 Subject: [PATCH 3/5] cln-plugin.bakup: fix alias and backup when off --- home.admin/config.scripts/cln-plugin.backup.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/home.admin/config.scripts/cln-plugin.backup.sh b/home.admin/config.scripts/cln-plugin.backup.sh index 0af6a8f55..fb8cfa058 100644 --- a/home.admin/config.scripts/cln-plugin.backup.sh +++ b/home.admin/config.scripts/cln-plugin.backup.sh @@ -81,8 +81,13 @@ if [ $1 = on ];then elif [ $1 = off ];then echo "# Removing the backup plugin" - sudo rm -f /home/bitcoin/${netprefix}cln-plugins-enabled/backup - +¬ sudo rm -f /home/bitcoin/${netprefix}cln-plugins-enabled/backup.py + echo "# Backup the existing old backup on the SDcard" + now=$(date +"%Y_%m_%d_%H%M%S") + sudo mv /home/bitcoin/${netprefix}lightningd.sqlite3.backup \ + /home/bitcoin/${netprefix}lightningd.sqlite3.backup.${now} + echo "# Removing the backup.lock file" + sudo rm -f /home/bitcoin/.lightning/${CLNETWORK}/backup.lock elif [ $1 = restore ];then @@ -115,12 +120,12 @@ elif [ $1 = restore ];then sudo systemctl start ${netprefix}lightningd fi -elif [ $1 = backup-compact ];then +elif [ $1 = backup-compact ];then if sudo ls /home/bitcoin/.lightning/${CLNETWORK}/lightningd.sqlite3;then # https://github.com/lightningd/plugins/tree/master/backup#performing-backup-compaction echo "# Running $lightning-cli backup-compact ..." - $lightning-cli backup-compact + $lightningcli_alias backup-compact else echo "# No /home/bitcoin/.lightning/${CLNETWORK}/lightningd.sqlite3 is present" From 4949977ed49bf247982713809e22d1d5e3087089 Mon Sep 17 00:00:00 2001 From: openoms Date: Thu, 2 Sep 2021 19:44:13 +0100 Subject: [PATCH 4/5] clnRepair: decrypt, autounlock-off on seed restore --- home.admin/99clnRepairMenu.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/home.admin/99clnRepairMenu.sh b/home.admin/99clnRepairMenu.sh index ad25e233e..3f12ae91e 100644 --- a/home.admin/99clnRepairMenu.sh +++ b/home.admin/99clnRepairMenu.sh @@ -156,6 +156,8 @@ case $CHOICE in source $_temp 2>/dev/null sudo rm $_temp 2>/dev/null # regenerate config + /home/admin/config.scripts/cln.hsmtool.sh autounlock-off + /home/admin/config.scripts/cln.hsmtool.sh decrypt /home/admin/config.scripts/cln.install.sh on $CHAIN ;; From f47b077ea7900fd498bf7e0c64114abadd7a6574 Mon Sep 17 00:00:00 2001 From: openoms Date: Thu, 2 Sep 2021 19:49:23 +0100 Subject: [PATCH 5/5] cln.backup: detect imported file encryption cln.hsmtool: improve unlock logic --- home.admin/config.scripts/cln.backup.sh | 37 +++++-- home.admin/config.scripts/cln.hsmtool.sh | 121 ++++++++++++++--------- 2 files changed, 103 insertions(+), 55 deletions(-) diff --git a/home.admin/config.scripts/cln.backup.sh b/home.admin/config.scripts/cln.backup.sh index 42a587491..efeabc74e 100755 --- a/home.admin/config.scripts/cln.backup.sh +++ b/home.admin/config.scripts/cln.backup.sh @@ -272,17 +272,38 @@ if [ ${mode} = "cln-import-gui" ]; then # TODO: check if update of CLN is needed (see detailes in cln-import) for edge case - # TODO: auto-unlock for c-lightning? # turn off auto-unlock if activated because password c might now change - # if [ "${autoUnlock}" == "on" ]; then - # /home/admin/config.scripts/cln.autounlock.sh off - # fi + /home/admin/config.scripts/cln.hsmtool.sh autounlock-off + + # detect if the imported hsm_secret is encrypted + # use the variables for the default network + source <(/home/admin/config.scripts/network.aliases.sh getvars cln) + hsmSecretPath="/home/bitcoin/.lightning/${CLNETWORK}/hsm_secret" + # check if encrypted + trap 'rm -f "$output"' EXIT + output=$(mktemp -p /dev/shm/) + echo "test" | sudo -u bitcoin \ + /home/bitcoin/lightning/tools/hsmtool decrypt \ + "$hsmSecretPath" 2> "$output" + if [ "$(grep -c "hsm_secret is not encrypted" < "$output")" -gt 0 ];then + echo "# The hsm_secret is not encrypted" + echo "# Record in raspiblitz.conf" + sudo sed -i \ + "s/^${netprefix}clnEncryptedHSM=.*/${netprefix}clnEncryptedHSM=off/g" \ + /mnt/hdd/raspiblitz.conf + else + cat $output + echo "# Starting cln.hsmtool.sh unlock" + /home/admin/config.scripts/cln.hsmtool.sh unlock # there are mutiple wallets possible, need to check for non-default ones too + fi - # restarting lnd & give final info + # restarting cln & give final info sudo systemctl start lightningd - echo "DONE - lightningd is now restarting .. Password C is now like within your rescue file" - echo "Check that CLN is starting up correctly and your old channel & funds are restored." - echo "Take into account that some channels might have been force closed in the meanwhile." + echo + echo "# DONE - lightningd is now starting" + echo "# Check that CLN is starting up correctly and your old channels & funds are restored." + echo "# Take into account that some channels might have been force closed in the meanwhile." + echo exit 0 fi diff --git a/home.admin/config.scripts/cln.hsmtool.sh b/home.admin/config.scripts/cln.hsmtool.sh index c2ca81d19..874f7991a 100644 --- a/home.admin/config.scripts/cln.hsmtool.sh +++ b/home.admin/config.scripts/cln.hsmtool.sh @@ -100,7 +100,12 @@ function shredPasswordFile() { echo echo "# Shredding the passwordFile" echo - sudo shred -uvz $passwordFile + if [ -f /dev/shm/.${netprefix}cln.pw ];then + sudo shred -uvz /dev/shm/.${netprefix}cln.pw + fi + if [ -f /root/${netprefix}cln.pw ];then + sudo shred -uvz /root/${netprefix}cln.pw + fi } function encryptHSMsecret() { @@ -117,7 +122,7 @@ function encryptHSMsecret() { (echo $walletPassword; echo $walletPassword) | sudo -u bitcoin \ /home/bitcoin/lightning/tools/hsmtool encrypt \ $hsmSecretPath || exit 1 - # setting value in raspiblitz config + # setting value in raspiblitz.conf sudo sed -i \ "s/^${netprefix}clnEncryptedHSM=.*/${netprefix}clnEncryptedHSM=on/g" \ /mnt/hdd/raspiblitz.conf @@ -125,31 +130,45 @@ function encryptHSMsecret() { } function decryptHSMsecret() { - if [ ! -f $passwordFile ];then - passwordToFile - else - echo "# Getting the password from $passwordFile" - fi + + # check if encrypted trap 'rm -f "$output"' EXIT output=$(mktemp -p /dev/shm/) - sudo cat $passwordFile | sudo -u bitcoin \ + echo "test" | sudo -u bitcoin \ /home/bitcoin/lightning/tools/hsmtool decrypt \ "$hsmSecretPath" 2> "$output" if [ "$(grep -c "hsm_secret is not encrypted" < "$output")" -gt 0 ];then echo "# The hsm_secret is not encrypted" - echo "# Continue to record in the raapiblitz.conf" + shredPasswordFile + echo "# Continue to record in the raspiblitz.conf" else - cat "$output" - # try again then exit - sudo cat $passwordFile | sudo -u bitcoin \ - /home/bitcoin/lightning/tools/hsmtool decrypt \ - "$hsmSecretPath" || exit 1 + # setting value in raspiblitz.conf + sudo sed -i \ + "s/^${netprefix}clnEncryptedHSM=.*/${netprefix}clnEncryptedHSM=on/g" \ + /mnt/hdd/raspiblitz.conf + if [ -f $passwordFile ];then + echo "# Getting the password from $passwordFile" + else + passwordToFile + fi + if sudo cat $passwordFile | sudo -u bitcoin \ + /home/bitcoin/lightning/tools/hsmtool decrypt \ + "$hsmSecretPath" ; then + echo "# Decrypted successfully" + else + # unlock manually + /home/admin/config.scripts/cln.hsmtool.sh unlock + # attempt to decrypt again + sudo cat $passwordFile | sudo -u bitcoin \ + /home/bitcoin/lightning/tools/hsmtool decrypt \ + "$hsmSecretPath" || echo "# Couldn't decrypt"; exit 1 + fi fi shredPasswordFile # setting value in raspiblitz config sudo sed -i \ - "s/^${netprefix}clnEncryptedHSM=.*/${netprefix}clnEncryptedHSM=off/g" \ - /mnt/hdd/raspiblitz.conf + "s/^${netprefix}clnEncryptedHSM=.*/${netprefix}clnEncryptedHSM=off/g" \ + /mnt/hdd/raspiblitz.conf echo "# Decrypted the hsm_secret for C-lightning $CHAIN" } @@ -220,40 +239,43 @@ seedwords6x4='${seedwords6x4}' /home/admin/config.scripts/cln-plugin.backup.sh on $CHAIN exit 0 - + elif [ "$1" = "unlock" ]; then - # getpassword - if [ $(sudo journalctl -n5 -u ${netprefix}lightningd | \ - grep -c 'encrypted-hsm: Could not read pass from stdin.') -gt 0 ];then - if [ -f $passwordFile ];then - echo "# Wrong passwordFile is present" - else - echo "# No passwordFile is present" - fi - passwordToFile - sudo systemctl restart ${netprefix}lightningd - - # configure --encrypted-hsm - elif [ $(sudo journalctl -n5 -u ${netprefix}lightningd | \ - grep -c 'hsm_secret is encrypted, you need to pass the \--encrypted-hsm startup option.') -gt 0 ];then - echo "# The hsm_secret encrypted, but unlock is not configured" - passwordToFile - # setting value in raspiblitz config - sudo sed -i \ - "s/^${netprefix}clnEncryptedHSM=.*/${netprefix}clnEncryptedHSM=on/g" \ - /mnt/hdd/raspiblitz.conf - /home/admin/config.scripts/cln.install-service.sh $CHAIN - fi - # check if unlocked attempt=0 while [ $($lightningcli_alias getinfo | grep -c '"id":') -eq 0 ];do + + # getpassword if [ $(sudo journalctl -n5 -u ${netprefix}lightningd | \ + grep -c 'encrypted-hsm: Could not read pass from stdin.') -gt 0 ];then + if [ -f $passwordFile ];then + echo "# Wrong passwordFile is present" + else + echo "# No passwordFile is present" + fi + passwordToFile + sudo systemctl restart ${netprefix}lightningd + + # configure --encrypted-hsm + elif [ $(sudo journalctl -n5 -u ${netprefix}lightningd | \ + grep -c 'hsm_secret is encrypted, you need to pass the --encrypted-hsm startup option.') -gt 0 ];then + echo "# The hsm_secret is encrypted, but unlock is not configured" + passwordToFile + # setting value in raspiblitz config + sudo sed -i \ + "s/^${netprefix}clnEncryptedHSM=.*/${netprefix}clnEncryptedHSM=on/g" \ + /mnt/hdd/raspiblitz.conf + /home/admin/config.scripts/cln.install-service.sh $CHAIN + + # get new password + elif [ $(sudo journalctl -n5 -u ${netprefix}lightningd | \ grep -c 'Wrong password for encrypted hsm_secret.') -gt 0 ];then echo "# Wrong password" sudo rm -f $passwordFile passwordToFile "Wrong password - type the decryption password for the $CHAIN C-lightning wallet" sudo systemctl restart ${netprefix}lightningd + + # fail elif [ $attempt -eq 12 ];then echo "# Failed to unlock the ${netprefix}lightningd wallet - giving up after 1 minute" echo "# Check: sudo journalctl -u ${netprefix}lightningd" @@ -309,7 +331,7 @@ elif [ "$1" = "decrypt" ]; then elif [ "$1" = "autounlock-on" ]; then if grep -Eq "${netprefix}clnEncryptedHSM=on" /mnt/hdd/raspiblitz.conf;then - echo "# Moving the password from $passwordFile" + echo "# Moving the password from $passwordFile to /root/.${netprefix}cln.pw" sudo -u bitcoin mv /dev/shm/.${netprefix}cln.pw /root/.${netprefix}cln.pw else passwordFile=/root/.${netprefix}cln.pw @@ -317,16 +339,21 @@ elif [ "$1" = "autounlock-on" ]; then fi # setting value in raspiblitz config sudo sed -i \ - "s/^${netprefix}clnAutoUnlock=.*/${netprefix}clnEncryptedHSM=on/g" \ - /mnt/hdd/raspiblitz.conf + "s/^${netprefix}clnAutoUnlock=.*/${netprefix}clnAutoUnlock=on/g" \ + /mnt/hdd/raspiblitz.conf echo "# Autounlock is on for C-lightning $CHAIN" elif [ "$1" = "autounlock-off" ]; then - sudo -u bitcoin mv /root/.${netprefix}cln.pw /dev/shm/.${netprefix}cln.pw + if [ -f /root/${netprefix}cln.pw ];then + sudo cp /root/.${netprefix}cln.pw /dev/shm/.${netprefix}cln.pw + sudo shred -uzv /root/.${netprefix}cln.pw + sudo chmod 600 /dev/shm/.${netprefix}cln.pw + sudo chown bitcoin:bitcoin /dev/shm/.${netprefix}cln.pw + fi # setting value in raspiblitz config sudo sed -i \ - "s/^${netprefix}clnAutoUnlock=.*/${netprefix}clnEncryptedHSM=off/g" \ - /mnt/hdd/raspiblitz.conf + "s/^${netprefix}clnAutoUnlock=.*/${netprefix}clnAutoUnlock=off/g" \ + /mnt/hdd/raspiblitz.conf echo "# Autounlock is off for C-lightning $CHAIN" elif [ "$1" = "change-password" ]; then @@ -345,7 +372,7 @@ elif [ "$1" = "check" ]; then # dumponchaindescriptors [network] # get current descriptors sudo -u bitcoin /home/bitcoin/lightning/tools/hsmtool dumponchaindescriptors \ - /home/bitcoin/.lightning/${CLNETWORK}/hsm_secret $CLNETWORK + /home/bitcoin/.lightning/${CLNETWORK}/hsm_secret $CLNETWORK # get seed to compare