Voltage claims to be noncustodial, but it really isn't, since they can access users' keys.
On the other hand, whenever you're hosting a node on a VPS, they also can access your keys, so does that mean AWS is the biggest custodian and can be regulated to perform aggressive KYC?
What is the actual difference between Voltage and any VPS you can host a node on?
Hey there,
Graham here, the CEO of Voltage. This is a big question with many parts but I’ll try to answer the best I can (it’s going to be long). There’s two very different pieces of this question, the regulation aspect and the technology & custodianship. First off, the definition of custodianship is somewhat murky. There’s always a “yeah, but” to it. Before Bitcoin, your options were to hold cash or put it in a bank (custody). Now we have an amazing new technology that gives us the benefits of those bank type solutions (and more) with an entirely new way to control our money. The invention of Bitcoin has made custody not so black and white. There’s the really obvious example of custodians, like Wallet of Satoshi, then there’s things like trusted swap providers. Are those custodial because they own user funds while swapping? There is a huge spectrum to this from your own cold storage to Coinbase. To your point, if Chase bank uses AWS for hosting and AWS could get into their RDS instances to get user credentials or move money, does that make them a custodian? I’d say no, but they’d probably be considered a trusted 3rd party. The biggest conversation here is really around Trust.
For the technology aspect, it’s impossible to do hosting without trust. You gotta trust GoDaddy to keep your website up. No matter the provider (Voltage, Greenlight, etc) you gotta trust the provider to keep the node online. You gotta trust the provider to do the right thing and keep things secure. At Voltage we’ve gone to great lengths to achieve this. We’ve submitted many PRs to LND to enhance its security, like TLS key encryption, Tor key encryption, and more. We aren’t just throwing LND on some VPS and calling it good. There’s no sensitive data on disks or in our databases that’s readable by us. We do keep encrypted backups of some things like seeds and macaroon, but those are encrypted client-side so we never know them. Now, one of your points is around keys for a lightning node. Node keys live encrypted in the node’s database. When a node starts up it must be unlocked by the user with a password that they’ve set and we don’t know. At that time the keys are held inside of the LND process for the duration that process is living. The memory itself from the underlying server is encrypted as well with keys Voltage does not have access to, so the node keys are never living outside of an encrypted space. Of course, some people might want keys running in a different location, ala Remote Signing. This is a great start, but doesn’t fully remove trust from the hosting provider. In today’s remote signing implementations, you still have to trust the hosting provider that the requests that are being sent to the signer are honest. Even with a Watchtower, if your hosting provider is running the Node and Watchtower, then they just shut down the Watchtower and broadcast an old state. To get to the most trustless deployment of ‘node in the cloud and signing outside the node’ you’ll have to run a Bitcoin full node on the signer as well as the node to verify everything. This gets very complicated very fast and a million different ways to deploy these things. In summary, if you want trustless and totally ‘noncustodial’ you gotta do it all yourself. From there, there’s a huge spectrum of trust tradeoffs that just go back to the individual to decide. We offer remote signing as well as other providers, so everyone’s just gotta do what’s best for them. Final point on this is, we’re working hard to make all this better. More hosting options, more signing options, etc. The nodes product we have today is very much a ‘v1’ and the nodes product we’ll have in the months and years to come will be very different.
Now the regulation piece. We’re operating in a brand new space and all of Bitcoin is moving faster than the law can keep up. We have a legal team we work with and we feel totally fine on our regulatory position. Additionally, it’s something we always keep our eyes on. I don’t think there’s any ‘time bomb’ there, especially when you see the other products and services out there. I won’t name names to be respectful, but there’s lots of Bitcoin companies that are very clearly MSBs and are operating without the proper licensing. We’ve got a lot of armchair lawyers in Bitcoin and ultimately it’s up to each company to consult their own legal team, abide by the law the best they can, and watch for clarity as it comes.
Again, this is a big topic and I can rant on, but I’ll stop there. I think the main part of your question was around VPS hosts and what happens when you put your Bitcoin keys on it. I think that depends on a ton of factors, but for us, we try to encrypt everywhere so it's more than a standard VPS deployment. There’s trust and tradeoffs all over the place, everyones just gotta find their balance.
reply
Thanks for the thoughtful answer Graham! There's a meme in the air that all hosting is bad. The reality is that every deployment model has trade-offs and where and how you deploy can be a nuanced answer depending on what you're trying to achieve. For a great many usecases, running a lightning node on a managed hosting provider lands on the right side of the balance.
reply
Couldn't have gotten a better answer. Very well written!
reply
Blockstream Greenlight fixes this
reply
Yeehhh... Stoked... Any idea about a release date?
reply
Idk but don't think that long anymore
reply
reply
You hold the keys, they host the server
reply
it's hosted core lightning. how do the criticisms here not also apply to greenlight? it's a similar setup, just with core lightning.
reply
They have no control over your keys, voltage has control over your keys. Under regulatory pressure voltage could rugpull you, greenlight couldn't.
reply
how though? whether you hold the key to unlock the node or not, once it's running, it's all in memory. so how is it different? in addition, the core lightning database is not encrypted. if they use a remote database like postgres, then the entire database is unencrypted and accessible to anyone with admin privileges on the database. at least lnd's is encrypted on the filesystem. also core lightning seems to be developed with the philosophy that if the server the node is on is compromised, then you've already lost. so there is little to no authentication on the rpc socket. if they have access to the server, which they probably do since they are running it for you, then theoretically they could do whatever they want once the node is running.
reply
The keys aren't in their memory as the keys never leave your device. All signing happens on your client (eg Smartphone).
reply
since they can access users' keys.
I don't believe this is true. I think the keys are encrypted on the client side by the user, Voltage only stores the encrypted keys and does not have access to the keys themselves afaik
reply
The counter-argument goes: voltage has access to the host machines the nodes are running on and could theoretically read the keys from the machine’s memory.
I think it was @fiatjaf who schooled me on this.
There are different shades of custodial.
reply
Yep, I don't see much difference in Voltage vs other hosting and thus I actually never understood the value of Voltage. It seems like when custodial, then its much easier to use something like Wallet of Satoshi.
Am I wrong? (I would love to be wrong on this)
reply
For a consumer yes, but you can't run your business on Wallet of Satoshi once you reach a certain scale.
reply
I'm not well-versed on low-level computing but this reminds me of the heartbleed bug from a few years back, so I get how it's feasible. How practically possible though? I mean, the danger here goes well beyond lightning nodes if every cloud provider could access the memory of every server it hosts. Not saying it isn't possible, but a much bigger trust issue if true
reply
Lol. No, AWS isn’t a custodian.
reply
They are. They hold the keys to any coins stored on nodes on their servers. Your keys, your coins. Amazon's keys, Amazon's coins.
reply
No, they don’t hold the keys in there raw form, they are encrypted client side and there’s no way for them to de-encrypt and spend/move your funds , that’s why they are considered non-custodian
reply
I think you are wrong. If the node (ie lnd) runs on AWS, then the keys are there, in the memory and their SREs can likely access it.
Can someone prove me wrong?
reply
theoretically, yes. practically, no. there are many layers of technical and policy controls in place to keep random SREs from touching customer instances.
reply
If the controls are "we don't want to" instead of "we can't do it" then it's custodial. What if I set up a bank and established a policy of "we don't let our employees touch customer funds" -- would that exempt me from needing a banking license? No. Amazon shouldn't get special treatment and neither should voltage. If they have access to unencrypted user keys in device memory then they are custodians of money.
(Btw I don't think licenses to transmit money or to do banking should exist in the first place. But custody exists and people who have it should be clear about it.)
reply
Same for Wallet of Satoshi.
reply
Well technically, yes. But if you look at it that way, then amazon owns a lot private info belonging to other huge corporations that use their services. Amazon tells you that the data is "secure" and they respect their customer's data, but how far does their "concern" for your data goes, i don't know either. Someone more knowledgeable with the legal technicalities of cloud providers and their obligations to the state should be able to tell you more. But, obviously, if the state is involved - you are stupid to think that CIA doesn't already have the info and capabilities to read any byte stored across any disk that AWS controls. If you want to fight the USD hegemony, you can't use their own infrastructure on their own land (includes land they bought in other countries) to defeat them - that's being stupid, and the opposite of sovereign. Uncle Sam will come for you if he wants to.
reply
This is my understanding as well. If it's in memory on someone else's machine, it's theirs.
reply
If AWS is not a custodian, why does Voltage have to make up all the security theater about not having access to users' keys and so on? They could just say: "we are a company that rents computers for hosting Lightning nodes, like AWS, but specialized in this specific niche".
reply
Regardless of the key question, anything you don't host yourself can be shut down at your behest. That goes from full nodes, to VPS access for hybrid nodes, to simple internet access by your internet provider.
reply
Suddenly the hetzner news is less mysterious.
reply
from voltage discord:
Node keys live encrypted in the node’s database. When a node starts up it must be unlocked by the user with a password that they’ve set and we don’t know. At that time the keys are held inside of the LND process for the duration that process is living so LND can read them. The memory itself from the underlying server is encrypted as well with keys Voltage does not have access to, so the node keys are never living outside of an encrypted space.
reply
It's well known that Google, Amazon, Apple and Microsoft own most of Bitcoins as the lot of seeds have been stored on their servers in many ways by the Bitcoiners kek
reply
how can they access user keys?? they are encrypted by the users and only the user can decrypt.
reply
It must be decrypted, at least in the memory, otherwise the node couldn't function. Amazon has physical access to the machines.
reply