Lightning nodes are in effect hot wallets with substantial balances that must stay on-chain to provide channel liquidity.
We propose to sequester the private keys and secrets in one or more hardened policy signing devices.
When run in external signing mode the Lightning node uses an alternate signing module which replaces signing with proxy calls to the policy signing devices.
The external signing device applies a complete set of policy controls to ensure that the proposed transaction is safe to sign. Having a complete set of policy controls protects the funds even in the case of a complete compromise of the node software. This will require some overlap in logic between the node software and the policy signer.
Proof of Concept
We've implemented a proof of concept of this approach.
C-lightning was chosen for the PoC because of the modular nature of the
hsmd process in that
- complete the API implementation
- complete policy controls for the main use cases (hub, merchant, consumer)
- implement a signer plugin system in LND and Eclair, similar to the
hsmdprocess in c-lightning
- utilize security enhanced hardware, such as a secure element, to protect the private keys and secrets
- use an algorithm such as MuSig for attaching mutiple signing devices to one Lightning node
What do you think?
We'd like your input on this approach.
Once the architecture is finalized, we'd like to complete this reference implementation and create the relevant hooks in major Lightning implementations.