Main Menu
Examples
LND Remote Signer Guide
30 min
overview the lnd remote signer architecture allows you to separate your lightning node into two components watch only node (hosted on voltage cloud) contains only public keys and handles all network operations signer node (your infrastructure) holds private keys and only signs transactions when requested this setup provides enhanced security by keeping your private keys completely offline and under your control, while still benefiting from voltage's reliable cloud infrastructure for node operations lnd remote signing documentation use cases remote signing is ideal when you want to maximize security keep private keys in cold storage or air gapped environments maintain control never expose private keys to cloud infrastructure meet compliance requirements some organizations require key material to remain on premises run redundant signers multiple signer instances for high availability prerequisites before starting active voltage cloud account with an lnd node deployed separate secure infrastructure for hosting the signer node ability to expose a single grpc port from your signer to voltage basic understanding of lnd operations and grpc step by step setup guide step 1 deploy standard voltage node first, deploy a standard lnd node on voltage cloud log into your voltage dashboard create a new lnd node as normal access and save your seed phrase securely can be found on your lightning node dashboard under "backup & export" tab let the node fully sync with the bitcoin network stop the node once synced (we'll convert it to watch only mode) step 2 set up your signer infrastructure on your secure infrastructure 2 1 install lnd \# download the same lnd version as your voltage node wget https //github com/lightningnetwork/lnd/releases/download/v0 xx x/lnd linux amd64 v0 xx x tar gz tar xzf lnd linux amd64 v0 xx x tar gz sudo install m 0755 o root g root t /usr/local/bin lnd linux amd64 v0 xx x/ 2 2 configure signer node create /home/lnd/ lnd/lnd conf \[application options] \# disable p2p listening signer never connects to network nolisten=true \# don't connect to bootstrap nodes nobootstrap=true \# grpc port that voltage will connect to rpclisten=0 0 0 0 10019 \# optional restrict to voltage ip \# rpclisten=your voltage ip 10019 \[bitcoin] \# signal we're using bitcoin bitcoin active=true bitcoin mainnet=true \# no chain backend needed for signer bitcoin node=nochainbackend 2 3 initialize signer with existing seed \# start lnd lnd configfile=/home/lnd/ lnd/lnd conf \# in another terminal, restore with your voltage seed lncli create \# choose "recover existing wallet" \# enter the seed phrase from your voltage node step 3 export account information from your signer node, export the extended public keys lncli wallet accounts list > accounts signer json this file contains all the xpubs needed for the watch only wallet copy this file securely to your local machine step 4 create custom macaroon generate a restricted macaroon that only allows signing operations lncli bakemacaroon save to signer custom macaroon \\ message\ write signer\ generate address\ read onchain\ write also copy the tls certificate cp / lnd/tls cert signer tls cert step 5 configure voltage node for remote signing for new nodes (recommended) contact voltage support before creating the node request they configure the node in "watch only" mode with remote signer settings this prevents the node from being initialized with private keys for existing nodes update your lnd conf manually through the voltage api using the "update node settings" endpoint https //docs voltage cloud/voltage api#fema1 updates needed to lnd conf \[remotesigner] remotesigner enable=true remotesigner rpchost=your signer host 10019 remotesigner tlscertpath=/path/to/signer tls cert remotesigner macaroonpath=/path/to/signer custom macaroon note voltage may need to handle file uploads for the tls cert and macaroon coordinate with support for the best approach step 6 initialize watch only wallet once remote signer mode is configured restart your voltage node initialize it as watch only using the exported accounts via voltage's terminal or api \# via voltage's terminal or api lncli createwatchonly accounts signer json note for new nodes created in watch only mode, this initialization happens on first startup for existing nodes being migrated, work with voltage support to ensure proper conversion step 7 network configuration firewall rules on your signer infrastructure \# first, obtain your voltage node's dedicated ip address from the dashboard \# allow inbound grpc from voltage node's ip only sudo ufw allow from voltage node ip to any port 10019 \# deny all other inbound connections sudo ufw default deny incoming sudo ufw enable important network requirements your signer must be exposed to the internet (on port 10019) each voltage node has a dedicated ip address (check your node dashboard) restrict access to only your voltage node's ip for security ensure your signer has a stable, publicly accessible hostname or ip tls considerations the signer's tls certificate must be valid consider using let's encrypt for production deployments ensure certificate renewal doesn't break connectivity security best practices signer node hardening network isolation place signer in dmz or separate vlan use jump hosts for administration no outbound internet access access control implement ip whitelisting use fail2ban for brute force protection enable selinux/apparmor monitoring log all signing requests set up alerts for unusual activity monitor system resources key management consider hardware security modules (hsm) implement key rotation procedures maintain secure backups operational security regular updates keep lnd versions synchronized apply security patches promptly test updates in staging first backup strategy encrypted backups of signer configuration test restore procedures regularly store backups in multiple locations incident response document emergency procedures have rollback plans ready maintain communication channels with voltage support troubleshooting common issues connection refused \# check if signer is running systemctl status lnd signer \# verify port is open netstat tlnp | grep 10019 \# test connectivity from voltage telnet signer host 10019 certificate errors \# regenerate certificates if needed lncli stop rm / lnd/tls cert / lnd/tls key lnd configfile=/home/lnd/ lnd/lnd conf account mismatch ensure all required account xpubs are exported verify purpose/coin type/account values match check for taproot account (required for v0 15+) migration scenarios from standard to remote signer export seed from existing voltage node set up signer with same seed contact voltage to enable migration mode node will purge private keys and convert to watch only upgrading lnd versions upgrade signer node first export new account information if needed import new accounts to watch only node upgrade voltage node monitoring and maintenance health checks create monitoring scripts \#!/bin/bash \# check signer responsiveness lncli rpcserver=localhost 10019 getinfo \# monitor signing operations tail f / lnd/logs/bitcoin/mainnet/lnd log | grep "signing" \# alert on connection issues if ! nc z signer host 10019; then echo "signer offline!" | mail s "lnd signer alert" ops\@example com fi performance optimization use persistent grpc connections implement connection pooling consider geographic proximity between voltage and signer monitor network latency advanced configurations high availability setup deploy multiple signer instances with active/passive failover load balancing for signing requests shared state management health check automation hardware security module integration for maximum security, integrate hsm store master seed in hsm derive keys on demand audit trail for all operations fips compliance support and resources voltage support contact through dashboard for remote signer setup lnd documentation remote signing guide community lightning network discord and telegram groups conclusion remote signing with voltage cloud provides the best of both worlds enterprise grade infrastructure for your lightning node operations while maintaining complete control over your private keys this setup is ideal for security conscious operators and organizations with strict compliance requirements remember to test thoroughly in a development environment first maintain regular backups keep both nodes updated and synchronized monitor operations continuously with proper setup and maintenance, remote signing offers a robust and secure way to operate lightning nodes at scale
Updated 18 Sep 2025
Did this page help you?