rpc: encryptwallet help, mention HD seed rotation and backup requirement #28980

pull furszy wants to merge 1 commits into bitcoin:master from furszy:2023_rpc_wallet_encryptwallet changing 1 files +6 −2
  1. furszy commented at 0:47 am on December 1, 2023: member

    Small and simple PR, updating the encryptwallet help message.

    Better to notify users about the HD seed rotation and the new backup requirement before executing the encryption process. Ensuring they are prepared to update previous backups and securely safeguard the updated wallet file.

  2. DrahtBot commented at 0:47 am on December 1, 2023: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage

    For detailed information about the code coverage, see the test coverage report.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK S3RK, achow101
    Concept ACK luke-jr
    Stale ACK pablomartin4btc, jonatack

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

  3. DrahtBot added the label RPC/REST/ZMQ on Dec 1, 2023
  4. in src/wallet/rpc/encrypt.cpp:226 in 6739760ae5 outdated
    219@@ -220,7 +220,11 @@ RPCHelpMan encryptwallet()
    220                 "After this, any calls that interact with private keys such as sending or signing \n"
    221                 "will require the passphrase to be set prior the making these calls.\n"
    222                 "Use the walletpassphrase call for this, and then walletlock call.\n"
    223-                "If the wallet is already encrypted, use the walletpassphrasechange call.\n",
    224+                "If the wallet is already encrypted, use the walletpassphrasechange call.\n"
    225+                "** IMPORTANT **\n"
    226+                "For security reasons, the encryption process will generate a new HD seed, leading to the creation of a fresh set of active descriptors. "
    227+                "Therefore, it is crucial to replace any existing backups of your wallet file with the newly generated, encrypted wallet file.\n"
    


    MarnixCroes commented at 1:07 am on December 1, 2023:
    0                "Therefore, it is crucial to replace any existing backups of your wallet file with the newly generated wallet file, containing the new encrypted keys.\n"
    

    I read it as the wallet file itself being encrypted. I’d tweak the wording a bit to prevent confusion.


    furszy commented at 1:21 am on December 1, 2023:
    Sure. Done as suggested.
  5. furszy force-pushed on Dec 1, 2023
  6. in src/wallet/rpc/encrypt.cpp:225 in 40a5117c02 outdated
    219@@ -220,7 +220,11 @@ RPCHelpMan encryptwallet()
    220                 "After this, any calls that interact with private keys such as sending or signing \n"
    221                 "will require the passphrase to be set prior the making these calls.\n"
    222                 "Use the walletpassphrase call for this, and then walletlock call.\n"
    223-                "If the wallet is already encrypted, use the walletpassphrasechange call.\n",
    224+                "If the wallet is already encrypted, use the walletpassphrasechange call.\n"
    225+                "** IMPORTANT **\n"
    226+                "For security reasons, the encryption process will generate a new HD seed, leading to the creation of a fresh set of active descriptors. "
    


    MarnixCroes commented at 1:33 am on December 1, 2023:
    0                "For security reasons, the encryption process will generate a new HD seed, leading to the creation of a fresh set of active descriptors.\n"
    

    nit, new line forgotten? (sry didn’t notice at previous review)


    furszy commented at 1:56 am on December 1, 2023:
    That was on purpose. To continue the paragraph.

    pablomartin4btc commented at 7:55 pm on December 1, 2023:

    optional nit

    0                "For security reasons, the encryption process will generate a new HD seed, resulting in the creation of a fresh set of active descriptors. "
    

    elminson commented at 3:13 am on December 2, 2023:
    I like the wording by @pablomartin4btc

    furszy commented at 1:08 pm on December 2, 2023:
    done
  7. MarnixCroes approved
  8. MarnixCroes commented at 1:53 am on December 1, 2023: contributor
    ack
  9. pablomartin4btc approved
  10. pablomartin4btc commented at 7:59 pm on December 1, 2023: member
    ACK 40a5117c020e6ecfc5b57909900eb7afb8a486d9
  11. furszy force-pushed on Dec 2, 2023
  12. pablomartin4btc approved
  13. pablomartin4btc commented at 0:22 am on December 3, 2023: member
    re ACK 30983e4e30a136ce7d2efc3639f0c17ed89ea38b
  14. in src/wallet/rpc/encrypt.cpp:226 in 30983e4e30 outdated
    219@@ -220,7 +220,11 @@ RPCHelpMan encryptwallet()
    220                 "After this, any calls that interact with private keys such as sending or signing \n"
    221                 "will require the passphrase to be set prior the making these calls.\n"
    222                 "Use the walletpassphrase call for this, and then walletlock call.\n"
    223-                "If the wallet is already encrypted, use the walletpassphrasechange call.\n",
    224+                "If the wallet is already encrypted, use the walletpassphrasechange call.\n"
    225+                "** IMPORTANT **\n"
    226+                "For security reasons, the encryption process will generate a new HD seed, resulting in the creation of a fresh set of active descriptors. "
    227+                "Therefore, it is crucial to replace any existing backups with the newly generated wallet file, containing the new encrypted keys.\n"
    


    S3RK commented at 1:37 pm on December 3, 2023:

    Replace is not correct, because the old keys can still have coins on them.

    We should recommend: a) making a new backup, bot not removing/replacing the old one just yet b) optional. In case the user believes the old keys could be compromised then direct them to sweep the old keys, e.g. with sendall RPC

    UPD: After thinking more, I understood it depends on how the users performs the back up. If they back up the whole wallet file - it’s safe. But just backing up the new HD seed is not safe. So, it seems recommending replacing backup is still slightly dangerous.


    furszy commented at 3:18 pm on December 3, 2023:

    UPD: After thinking more, I understood it depends on how the users performs the back up. If they back up the whole wallet file - it’s safe. But just backing up the new HD seed is not safe. So, it seems recommending replacing backup is still slightly dangerous.

    Well, core currently lacks a mechanism for retrieving the HD seed. It refrains from outputting the seed post wallet creation and advises the user to back up the entire wallet file instead. The same procedure can be seen after encryption at the GUI level too: link.

    And yeah, replacing the old wallet file with the new one is safe, as it retains old keys after encryption. The only change is the storage of the new master seed and its derived descriptors.


    jonatack commented at 6:39 pm on December 4, 2023:

    s/file, containing/file that contains/

    Suggest:

    “Therefore, it is crucial to make a fresh backup of the newly generated wallet file.”


    willcl-ark commented at 9:31 pm on December 4, 2023:

    To make it even more clear to the end user that i) a backup is imperative and ii) that a new backup will contain both sets of descriptors, you could consider something like:

    0"After wallet encryption is complete and before making any transactions, you must immediately make a new backup of the wallet file, which will contain the new and old descriptors, using the `backupwallet` RPC.\n"
    

    furszy commented at 10:17 pm on December 4, 2023:

    “Therefore, it is crucial to make a fresh backup of the newly generated wallet file.”

    The goal behind the “replace” wording is to avoid situations where users restore the wallet from the previous backup, thinking it is the latest one, and blames core for not detecting the balance.


    jonatack commented at 10:25 pm on December 4, 2023:

    and blames core for not detecting the balance

    I think I would avoid recommending that users delete (replace) their wallet files, as potential loss of funds is a worse case.


    furszy commented at 10:26 pm on December 4, 2023:

    To make it even more clear to the end user that i) a backup is imperative and ii) that a new backup will contain both sets of descriptors, you could consider something like:

    0"After wallet encryption is complete and before making any transactions, you must immediately make a new backup of the wallet file, which will contain the new and old descriptors, using the `backupwallet` RPC.\n"
    

    I think the current text is slightly better because it alerts users without scaring them. But, if there is a higher preference for it, could change it.

    Aside from that, agree on mentioning backupwallet there 👍🏼 .

  15. in src/wallet/rpc/encrypt.cpp:227 in 30983e4e30 outdated
    219@@ -220,7 +220,11 @@ RPCHelpMan encryptwallet()
    220                 "After this, any calls that interact with private keys such as sending or signing \n"
    221                 "will require the passphrase to be set prior the making these calls.\n"
    222                 "Use the walletpassphrase call for this, and then walletlock call.\n"
    223-                "If the wallet is already encrypted, use the walletpassphrasechange call.\n",
    224+                "If the wallet is already encrypted, use the walletpassphrasechange call.\n"
    225+                "** IMPORTANT **\n"
    226+                "For security reasons, the encryption process will generate a new HD seed, resulting in the creation of a fresh set of active descriptors. "
    227+                "Therefore, it is crucial to replace any existing backups with the newly generated wallet file, containing the new encrypted keys.\n"
    228+                "Please exercise caution and ensure that you securely backup the updated wallet file to safeguard your funds and wallet information.\n",
    


    jonatack commented at 6:34 pm on December 4, 2023:

    “backup” is a noun spelled as a single word, while “back up” is a verb spelled as 2 words

    0                "Please exercise caution and ensure that you securely back up the updated wallet file to safeguard your funds and wallet information.\n",
    

    furszy commented at 10:30 pm on December 4, 2023:
    Sure. Done as suggested
  16. jonatack commented at 6:39 pm on December 4, 2023: member
    Concept ACK, suggest the doc: prefix or rpc, doc: for the pull title
  17. furszy force-pushed on Dec 4, 2023
  18. furszy commented at 10:31 pm on December 4, 2023: member
    Updated per feedback. Thanks everyone.
  19. luke-jr commented at 3:18 am on December 5, 2023: member
    utACK
  20. in src/wallet/rpc/encrypt.cpp:227 in e26c4aa4af outdated
    219@@ -220,7 +220,11 @@ RPCHelpMan encryptwallet()
    220                 "After this, any calls that interact with private keys such as sending or signing \n"
    221                 "will require the passphrase to be set prior the making these calls.\n"
    222                 "Use the walletpassphrase call for this, and then walletlock call.\n"
    223-                "If the wallet is already encrypted, use the walletpassphrasechange call.\n",
    224+                "If the wallet is already encrypted, use the walletpassphrasechange call.\n"
    225+                "** IMPORTANT **\n"
    226+                "For security reasons, the encryption process will generate a new HD seed, resulting in the creation of a fresh set of active descriptors. "
    227+                "Therefore, it is crucial to replace any existing backups with the newly generated wallet file that contains the new encrypted keys.\n"
    228+                "Please exercise caution and ensure that you securely back up the updated wallet file to safeguard your funds and wallet information. See `backupwallet` RPC.\n",
    


    jonatack commented at 3:46 am on December 5, 2023:

    This is now a bit verbose and redundant, and does not address #28980 (review).

    Suggest:

    “Therefore, it is crucial to securely back up the newly generated wallet file using the backupwallet RPC.”

    Also suggest the doc: prefix or rpc, doc: for the pull title.


    furszy commented at 7:51 pm on December 5, 2023:

    It seems that we commented at the same time and I missed #28980 (review). Thanks for pointing it out.

    Suggestions applied. Thanks.

  21. furszy force-pushed on Dec 5, 2023
  22. furszy force-pushed on Dec 5, 2023
  23. furszy commented at 7:52 pm on December 5, 2023: member
    Updated per feedback. Thanks. Applied #28980 (review) suggestions.
  24. pablomartin4btc approved
  25. pablomartin4btc commented at 7:59 pm on December 5, 2023: member
    reACK e6b9a6dba79144cbe77c59515541f9019d1db4b5
  26. DrahtBot requested review from luke-jr on Dec 5, 2023
  27. DrahtBot requested review from jonatack on Dec 5, 2023
  28. jonatack commented at 9:00 pm on December 5, 2023: member

    ACK e6b9a6dba79144cbe77c59515541f9019d1db4b5

    This change would result in the following help:

    0$ ./src/bitcoin-cli -signet help encryptwallet
    1encryptwallet "passphrase"
    2
    3Encrypts the wallet with 'passphrase'. This is for first time encryption.
    4After this, any calls that interact with private keys such as sending or signing 
    5will require the passphrase to be set prior the making these calls.
    6Use the walletpassphrase call for this, and then walletlock call.
    7If the wallet is already encrypted, use the walletpassphrasechange call.
    8** IMPORTANT **
    9For security reasons, the encryption process will generate a new HD seed, resulting in the creation of a fresh set of active descriptors. Therefore, it is crucial to securely back up the newly generated wallet file using the backupwallet RPC.
    

    If you agree and/or need to retouch, maybe do

    0-                "For security reasons, the encryption process will generate a new HD seed, resulting in the creation of a fresh set of active descriptors. "
    1-                "Therefore, it is crucial to securely back up the newly generated wallet file using the backupwallet RPC.\n",
    2+                "For security reasons, the encryption process will generate a new HD seed, resulting\n"
    3+                "in the creation of a fresh set of active descriptors. Therefore, it is crucial to\n"
    4+                "securely back up the newly generated wallet file using the backupwallet RPC.\n",
    

    for a more harmonious output

     0$ ./src/bitcoin-cli -signet help encryptwallet
     1encryptwallet "passphrase"
     2
     3Encrypts the wallet with 'passphrase'. This is for first time encryption.
     4After this, any calls that interact with private keys such as sending or signing 
     5will require the passphrase to be set prior the making these calls.
     6Use the walletpassphrase call for this, and then walletlock call.
     7If the wallet is already encrypted, use the walletpassphrasechange call.
     8** IMPORTANT **
     9For security reasons, the encryption process will generate a new HD seed, resulting
    10in the creation of a fresh set of active descriptors. Therefore, it is crucial to
    11securely back up the newly generated wallet file using the backupwallet RPC.
    

    Also, should we change this as well?

    0                 },
    1@@ -271,7 +272,7 @@ RPCHelpMan encryptwallet()
    2         throw JSONRPCError(RPC_WALLET_ENCRYPTION_FAILED, "Error: Failed to encrypt the wallet.");
    3     }
    4 
    5-    return "wallet encrypted; The keypool has been flushed and a new HD seed was generated (if you are using HD). You need to make a new backup.";
    6+    return "wallet encrypted; The keypool has been flushed and a new HD seed was generated. You need to make a new backup with the backupwallet RPC.";
    
  29. furszy force-pushed on Dec 5, 2023
  30. rpc, doc: encryptwallet, mention HD seed rotation and new backup
    Better to notify users about the HD seed rotation and the new
    backup requirement before executing the encryption process.
    Ensuring they are prepared to update previous backups and
    securely safeguard the updated wallet file.
    
    Co-authored-by: jonatack <jon@atack.com>
    ca09415e63
  31. furszy force-pushed on Dec 5, 2023
  32. furszy commented at 9:47 pm on December 5, 2023: member
    Tackled both points. Thanks @jonatack.
  33. S3RK commented at 8:17 am on December 6, 2023: contributor
    ACK ca09415e630f0f7de9160cab234bd5ba6968ff2d
  34. DrahtBot requested review from jonatack on Dec 6, 2023
  35. DrahtBot requested review from pablomartin4btc on Dec 6, 2023
  36. MarnixCroes approved
  37. MarnixCroes commented at 8:26 am on December 6, 2023: contributor
    ack ca09415e630f0f7de9160cab234bd5ba6968ff2d
  38. willcl-ark commented at 9:30 am on December 6, 2023: member
    ack ca09415e630f0f7de9160cab234bd5ba6968ff2d
  39. fanquake assigned achow101 on Dec 6, 2023
  40. achow101 commented at 3:34 pm on December 6, 2023: member
    ACK ca09415e630f0f7de9160cab234bd5ba6968ff2d
  41. achow101 merged this on Dec 6, 2023
  42. achow101 closed this on Dec 6, 2023

  43. furszy deleted the branch on Dec 6, 2023
  44. jonatack commented at 7:37 pm on December 6, 2023: member
    Post-merge ACK
  45. bitcoin locked this on Dec 5, 2024

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-23 09:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me