Macaroons - Max Fang's Notes

# Macaroons *Cookies with Contextual Caveats for Decentralized Authorization in the Cloud* - [High level overview on docs.lightning.engineering](https://docs.lightning.engineering/lightning-network-tools/lnd/macaroons) - [Doc source on GitHub](https://github.com/lightningnetwork/lnd/blob/master/docs/macaroons.md) - [Technical description in lnd macaroons module](https://github.com/lightningnetwork/lnd/blob/master/macaroons/README.md) ## [High Level Overview > Stateless initialization](https://docs.lightning.engineering/lightning-network-tools/lnd/macaroons#stateless-initialization) As mentioned above, by default `lnd` creates several macaroon files in its directory. These are unencrypted and in case of the `admin.macaroon` provide full access to the daemon. This can be seen as quite a big security risk if the `lnd` daemon runs in an environment that is not fully trusted. The macaroon files are the only files with highly sensitive information that are not encrypted (unlike the wallet file and the macaroon database file that contains the [root key](https://github.com/lightninglabs/docs.lightning.engineering/tree/33bc7e27861f932d5d0676912bf45cf608534ceb/docs/macaroons/README.md), these are always encrypted, even if no password is used). To avoid leaking the macaroon information, `lnd` supports the so called `stateless initialization` mode: - The three startup commands `create`, `unlock` and `changepassword` of `lncli` all have a flag called `--stateless_init` that instructs the daemon **not** to create `*.macaroon` files. - The two operations `create` and `changepassword` that actually create/update the macaroon database will return the admin macaroon in the RPC call. Assuming the daemon and the `lncli` are not used on the same machine, this will leave no unencrypted information on the machine where `lnd` runs on. - To be more precise: By default, when using the `changepassword` command, the macaroon root key in the macaroon DB is just re-encrypted with the new password. But the key remains the same and therefore the macaroons issued before the `changepassword` command still remain valid. If a user wants to invalidate all previously created macaroons, the `--new_mac_root_key` flag of the `changepassword` command should be used! - A user of `lncli` will see the returned admin macaroon printed to the screen or saved to a file if the parameter `--save_to=some_file.macaroon` is used. - **Important:** By default, `lnd` will create the macaroon files during the `unlock` phase, if the `--stateless_init` flag is not used. So to avoid leakage of the macaroon information, use the stateless initialization flag for all three startup commands of the wallet unlocker service! **Examples:** Create a new wallet stateless (first run): ```bash lncli create --stateless_init --save_to=/safe/location/admin.macaroon ``` Unlock a wallet that has previously been initialized stateless: ```bash lncli unlock --stateless_init ``` Use the created macaroon: ```bash lncli --macaroonpath=/safe/location/admin.macaroon getinfo ``` ## Paper **[[Macaroons - Cookies with Contextual Caveats for Decentralized Authorization in the Cloud.pdf]]** https://research.google/pubs/pub41892/ https://storage.googleapis.com/pub-tools-public-publication-data/pdf/41892.pdf ![[Macaroons - Cookies with Contextual Caveats for Decentralized Authorization in the Cloud.pdf]] ![[Screen Shot 2022-03-03 at 11.53.33 PM.png]] ![[Screen Shot 2022-03-03 at 11.55.29 PM.png]] ![[Screen Shot 2022-03-03 at 11.57.01 PM.png]]