Security

We're the hub and the gateway — not the bank. bolthub runs your Lightning node on a VPS you own. We hold no credential capable of moving your funds, no SSH access, and no copy of your wallet seed. This page is the source of truth for what we can and cannot do, with verification steps you can run yourself.

What we hold after your node is finalized

Read-only and mint-only access for the dashboard and L402 paywall, plus an HMAC secret for the on-VM daemon callback. That is it.

Secret	Scope	CAN do	CANNOT do
Monitoring macaroon	info:read, offchain:read, onchain:read, peers:read	Read balances, channels, peer list, sync status. Render the dashboard.	Mint invoices, send funds, connect peers, generate addresses, sign messages, see the seed.
Invoices macaroon	info:read, invoices:read, invoices:write	Mint Lightning invoices for the L402 paywall.	Touch existing invoices, channels, on-chain wallet, or settled funds.
Per-node webhook secret	HMAC of payloads from the on-VM finalize daemon.	Authenticate macaroon-handover and recovery callbacks.	Authenticate to LND. Authenticate to SSH. Move funds.
VPS API key (optional, default-purged)	Whatever scope the user issued the token with.	Create, snapshot, or destroy the VPS during the deploy. Purged by default once the VM reports healthy.	Decrypt the wallet, mint invoices, sign LND messages.

Secrets we never hold

These never enter the bolthub network at any point in the node lifecycle.

Wallet seed phrase (24 words)

Generated inside litd on your VM during wallet creation. Shown once to your browser. Never enters the bolthub network.

LNC pairing phrase

Minted on your VM by the on-VM finalize daemon. Returned to your browser exactly once and persisted only in browser localStorage.

litd UI password

Generated client-side. Only an Argon2id hash ships to your VM via cloud-init. We never see the plaintext.

SSH credentials for your VM

We do not generate or store any SSH key. You can paste your own public key for break-glass access; we forward it without keeping a copy.

Static Channel Backup blob (by default)

Stored in your browser as the primary copy. Cloud sync is opt-in, and even when synced the blob is encrypted by your seed so we cannot decrypt it.

What an attacker with our database could do

Worst case: they have a copy of our Postgres and our wallet encryption key. This is what they could and could not do.

Capability	Available?	Notes
Read your node's balances and channel summary	Yes	Monitoring macaroon is read-only.
Mint invoices on your node	Yes, harmless	Invoices only let the world send sats to you. They cannot move existing funds.
Move your funds (send, open or close channels, on-chain spend)	No	Requires LNC admin or a write macaroon. We hold neither.
Re-establish SSH into your VM	No	We do not generate or hold any SSH key for your VM.
Decrypt the wallet	No	Wallet is encrypted by your litd password (Argon2id hash on the VM). We never see the plaintext.
Read or replay your channel backup	Only if you opt in	The blob is encrypted by your seed, so even cloud-synced copies are unreadable to us.
Destroy or snapshot your VM	Only if you opt in	Default-purged after deploy. You can opt in to retention for one-click destroy and rebuild.
Recover your seed	No	Seed never enters the bolthub network at any point in any flow.

How you can verify these claims yourself

Don't take our word for it. Every claim above is independently checkable.

Open Lightning Terminal on your VM and run `lncli printmacaroon` against the macaroons we hold. Compare the printed permissions to the table above.
Run `cat /opt/bolthub/template-sha256` and `/opt/bolthub/verify.sh` on the VM to confirm the rendered cloud-init matches the public release.
Open the node detail page in the dashboard. The Supply-chain provenance card links to the exact public template release used for your deploy.
Check the credential-purge badge after deploy completes. It shows the timestamp at which we revoked your VPS API key.
Browse the public signaltech-org/bolthub-node-launcher-templates repo to read the cloud-init source line by line.

Architecture choices behind the table

•No server-side SSH. The bolthub API never holds an SSH private key for any node. Provisioning produces no key. You can supply your own public key for break-glass access; we forward it without storing a copy.
•Browser-driven finalize. Your browser fetches a one-time-token and POSTs it directly to the on-VM finalize daemon. The daemon mints scoped macaroons and the LNC pairing locally. Only the macaroons phone home, only over an HMAC-authenticated callback.
•Browser-held LNC. The pairing phrase is persisted only in browser localStorage. Operations that require write capability (peer connect, on-chain receive, channel open) run in your browser against your own LND. Our server is not in the credential path for any of these.
•Verifiable supply chain. The cloud-init template lives in a public, versioned GitHub repo. Image digests are pinned. Releases are signed with cosign. Each deploy records the template version and SHA-256 it actually rendered, and the dashboard surfaces them.
•VPS credential purge. The moment cloud-init reports the VM is healthy, we revoke your provider API token (where supported) and null it from our database. You only need to paste a fresh token if you later destroy or rebuild.
•BYO server path. If you do not want to give us any VPS credentials, we render the cloud-init script and you paste it into a VM you already own. The VM phones home with the per-node webhook token when ready.
•Recovery without seed exposure. The recovery wizard restores your wallet via litd's own UI, browser to VM directly. The browser then pushes the encrypted SCB blob to the on-VM daemon. The seed never reaches bolthub.

If you find a security issue

Email contact@bolthub.ai. We respond within one business day. Please do not file public GitHub issues for security bugs.

The detailed engineering reference for the items above lives in the repo at docs/SECURITY.md.

Security

What we hold after your node is finalized

Read-only and mint-only access for the dashboard and L402 paywall, plus an HMAC secret for the on-VM daemon callback. That is it.

Secret	Scope	CAN do	CANNOT do
Monitoring macaroon	info:read, offchain:read, onchain:read, peers:read	Read balances, channels, peer list, sync status. Render the dashboard.	Mint invoices, send funds, connect peers, generate addresses, sign messages, see the seed.
Invoices macaroon	info:read, invoices:read, invoices:write	Mint Lightning invoices for the L402 paywall.	Touch existing invoices, channels, on-chain wallet, or settled funds.
Per-node webhook secret	HMAC of payloads from the on-VM finalize daemon.	Authenticate macaroon-handover and recovery callbacks.	Authenticate to LND. Authenticate to SSH. Move funds.
VPS API key (optional, default-purged)	Whatever scope the user issued the token with.	Create, snapshot, or destroy the VPS during the deploy. Purged by default once the VM reports healthy.	Decrypt the wallet, mint invoices, sign LND messages.

Secrets we never hold

These never enter the bolthub network at any point in the node lifecycle.

Wallet seed phrase (24 words)

Generated inside litd on your VM during wallet creation. Shown once to your browser. Never enters the bolthub network.

LNC pairing phrase

Minted on your VM by the on-VM finalize daemon. Returned to your browser exactly once and persisted only in browser localStorage.

litd UI password

Generated client-side. Only an Argon2id hash ships to your VM via cloud-init. We never see the plaintext.

SSH credentials for your VM

We do not generate or store any SSH key. You can paste your own public key for break-glass access; we forward it without keeping a copy.

Static Channel Backup blob (by default)

Stored in your browser as the primary copy. Cloud sync is opt-in, and even when synced the blob is encrypted by your seed so we cannot decrypt it.

What an attacker with our database could do

Worst case: they have a copy of our Postgres and our wallet encryption key. This is what they could and could not do.

Capability	Available?	Notes
Read your node's balances and channel summary	Yes	Monitoring macaroon is read-only.
Mint invoices on your node	Yes, harmless	Invoices only let the world send sats to you. They cannot move existing funds.
Move your funds (send, open or close channels, on-chain spend)	No	Requires LNC admin or a write macaroon. We hold neither.
Re-establish SSH into your VM	No	We do not generate or hold any SSH key for your VM.
Decrypt the wallet	No	Wallet is encrypted by your litd password (Argon2id hash on the VM). We never see the plaintext.
Read or replay your channel backup	Only if you opt in	The blob is encrypted by your seed, so even cloud-synced copies are unreadable to us.
Destroy or snapshot your VM	Only if you opt in	Default-purged after deploy. You can opt in to retention for one-click destroy and rebuild.
Recover your seed	No	Seed never enters the bolthub network at any point in any flow.

How you can verify these claims yourself

Don't take our word for it. Every claim above is independently checkable.

Open Lightning Terminal on your VM and run `lncli printmacaroon` against the macaroons we hold. Compare the printed permissions to the table above.

Run `cat /opt/bolthub/template-sha256` and `/opt/bolthub/verify.sh` on the VM to confirm the rendered cloud-init matches the public release.

Open the node detail page in the dashboard. The Supply-chain provenance card links to the exact public template release used for your deploy.

Check the credential-purge badge after deploy completes. It shows the timestamp at which we revoked your VPS API key.

Browse the public signaltech-org/bolthub-node-launcher-templates repo to read the cloud-init source line by line.

Architecture choices behind the table

•No server-side SSH. The bolthub API never holds an SSH private key for any node. Provisioning produces no key. You can supply your own public key for break-glass access; we forward it without storing a copy.

•Browser-driven finalize. Your browser fetches a one-time-token and POSTs it directly to the on-VM finalize daemon. The daemon mints scoped macaroons and the LNC pairing locally. Only the macaroons phone home, only over an HMAC-authenticated callback.

•Browser-held LNC. The pairing phrase is persisted only in browser localStorage. Operations that require write capability (peer connect, on-chain receive, channel open) run in your browser against your own LND. Our server is not in the credential path for any of these.

•Verifiable supply chain. The cloud-init template lives in a public, versioned GitHub repo. Image digests are pinned. Releases are signed with cosign. Each deploy records the template version and SHA-256 it actually rendered, and the dashboard surfaces them.

•VPS credential purge. The moment cloud-init reports the VM is healthy, we revoke your provider API token (where supported) and null it from our database. You only need to paste a fresh token if you later destroy or rebuild.

•BYO server path. If you do not want to give us any VPS credentials, we render the cloud-init script and you paste it into a VM you already own. The VM phones home with the per-node webhook token when ready.

•Recovery without seed exposure. The recovery wizard restores your wallet via litd's own UI, browser to VM directly. The browser then pushes the encrypted SCB blob to the on-VM daemon. The seed never reaches bolthub.