lnrpc: add arguments for stateless wallet initialization to wallet unlocker

This commit adds the --stateless_init flag to all three wallet unlocker operations. Once you initialize a wallet stateless, you need to set this flag for every further wallet unlocker operation. Otherwise you risk non-encrypted macaroon information to leak to the underlying system.
4 years ago · 4c8d374007
3 changed files with 209 additions and 45 deletions
--- a/lnrpc/walletunlocker.pb.go
+++ b/lnrpc/walletunlocker.pb.go
@ -166,10 +166,16 @@ type InitWalletRequest struct {
 	//total data loss occurred. If specified, then after on-chain recovery of
 	//funds, lnd begin to carry out the data loss recovery protocol in order to
 	//recover the funds in each channel from a remote force closed transaction.
-	ChannelBackups       *ChanBackupSnapshot `protobuf:"bytes,5,opt,name=channel_backups,json=channelBackups,proto3" json:"channel_backups,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}            `json:"-"`
-	XXX_unrecognized     []byte              `json:"-"`
-	XXX_sizecache        int32               `json:"-"`
+	ChannelBackups *ChanBackupSnapshot `protobuf:"bytes,5,opt,name=channel_backups,json=channelBackups,proto3" json:"channel_backups,omitempty"`
+	//
+	//stateless_init is an optional argument instructing the daemon NOT to create
+	//any *.macaroon files in its filesystem. If this parameter is set, then the
+	//admin macaroon returned in the response MUST be stored by the caller of the
+	//RPC as otherwise all access to the daemon will be lost!
+	StatelessInit        bool     `protobuf:"varint,6,opt,name=stateless_init,json=statelessInit,proto3" json:"stateless_init,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
 }

 func (m *InitWalletRequest) Reset()         { *m = InitWalletRequest{} }
@ -232,7 +238,21 @@ func (m *InitWalletRequest) GetChannelBackups() *ChanBackupSnapshot {
 	return nil
 }

+func (m *InitWalletRequest) GetStatelessInit() bool {
+	if m != nil {
+		return m.StatelessInit
+	}
+	return false
+}
+
 type InitWalletResponse struct {
+	//
+	//The binary serialized admin macaroon that can be used to access the daemon
+	//after creating the wallet. If the stateless_init parameter was set to true,
+	//this is the ONLY copy of the macaroon and MUST be stored safely by the
+	//caller. Otherwise a copy of this macaroon is also persisted on disk by the
+	//daemon, together with other macaroon files.
+	AdminMacaroon        []byte   `protobuf:"bytes,1,opt,name=admin_macaroon,json=adminMacaroon,proto3" json:"admin_macaroon,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
 	XXX_sizecache        int32    `json:"-"`
@ -263,6 +283,13 @@ func (m *InitWalletResponse) XXX_DiscardUnknown() {

 var xxx_messageInfo_InitWalletResponse proto.InternalMessageInfo

+func (m *InitWalletResponse) GetAdminMacaroon() []byte {
+	if m != nil {
+		return m.AdminMacaroon
+	}
+	return nil
+}
+
 type UnlockWalletRequest struct {
 	//
 	//wallet_password should be the current valid passphrase for the daemon. This
@ -283,10 +310,14 @@ type UnlockWalletRequest struct {
 	//total data loss occurred. If specified, then after on-chain recovery of
 	//funds, lnd begin to carry out the data loss recovery protocol in order to
 	//recover the funds in each channel from a remote force closed transaction.
-	ChannelBackups       *ChanBackupSnapshot `protobuf:"bytes,3,opt,name=channel_backups,json=channelBackups,proto3" json:"channel_backups,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}            `json:"-"`
-	XXX_unrecognized     []byte              `json:"-"`
-	XXX_sizecache        int32               `json:"-"`
+	ChannelBackups *ChanBackupSnapshot `protobuf:"bytes,3,opt,name=channel_backups,json=channelBackups,proto3" json:"channel_backups,omitempty"`
+	//
+	//stateless_init is an optional argument instructing the daemon NOT to create
+	//any *.macaroon files in its file system.
+	StatelessInit        bool     `protobuf:"varint,4,opt,name=stateless_init,json=statelessInit,proto3" json:"stateless_init,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
 }

 func (m *UnlockWalletRequest) Reset()         { *m = UnlockWalletRequest{} }
@ -335,6 +366,13 @@ func (m *UnlockWalletRequest) GetChannelBackups() *ChanBackupSnapshot {
 	return nil
 }

+func (m *UnlockWalletRequest) GetStatelessInit() bool {
+	if m != nil {
+		return m.StatelessInit
+	}
+	return false
+}
+
 type UnlockWalletResponse struct {
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
@ -374,7 +412,18 @@ type ChangePasswordRequest struct {
 	//
 	//new_password should be the new passphrase that will be needed to unlock the
 	//daemon. When using REST, this field must be encoded as base64.
-	NewPassword          []byte   `protobuf:"bytes,2,opt,name=new_password,json=newPassword,proto3" json:"new_password,omitempty"`
+	NewPassword []byte `protobuf:"bytes,2,opt,name=new_password,json=newPassword,proto3" json:"new_password,omitempty"`
+	//
+	//stateless_init is an optional argument instructing the daemon NOT to create
+	//any *.macaroon files in its filesystem. If this parameter is set, then the
+	//admin macaroon returned in the response MUST be stored by the caller of the
+	//RPC as otherwise all access to the daemon will be lost!
+	StatelessInit bool `protobuf:"varint,3,opt,name=stateless_init,json=statelessInit,proto3" json:"stateless_init,omitempty"`
+	//
+	//new_macaroon_root_key is an optional argument instructing the daemon to
+	//rotate the macaroon root key when set to true. This will invalidate all
+	//previously generated macaroons.
+	NewMacaroonRootKey   bool     `protobuf:"varint,4,opt,name=new_macaroon_root_key,json=newMacaroonRootKey,proto3" json:"new_macaroon_root_key,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
 	XXX_sizecache        int32    `json:"-"`
@ -419,7 +468,29 @@ func (m *ChangePasswordRequest) GetNewPassword() []byte {
 	return nil
 }

+func (m *ChangePasswordRequest) GetStatelessInit() bool {
+	if m != nil {
+		return m.StatelessInit
+	}
+	return false
+}
+
+func (m *ChangePasswordRequest) GetNewMacaroonRootKey() bool {
+	if m != nil {
+		return m.NewMacaroonRootKey
+	}
+	return false
+}
+
 type ChangePasswordResponse struct {
+	//
+	//The binary serialized admin macaroon that can be used to access the daemon
+	//after rotating the macaroon root key. If both the stateless_init and
+	//new_macaroon_root_key parameter were set to true, this is the ONLY copy of
+	//the macaroon that was created from the new root key and MUST be stored
+	//safely by the caller. Otherwise a copy of this macaroon is also persisted on
+	//disk by the daemon, together with other macaroon files.
+	AdminMacaroon        []byte   `protobuf:"bytes,1,opt,name=admin_macaroon,json=adminMacaroon,proto3" json:"admin_macaroon,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
 	XXX_sizecache        int32    `json:"-"`
@ -450,6 +521,13 @@ func (m *ChangePasswordResponse) XXX_DiscardUnknown() {

 var xxx_messageInfo_ChangePasswordResponse proto.InternalMessageInfo

+func (m *ChangePasswordResponse) GetAdminMacaroon() []byte {
+	if m != nil {
+		return m.AdminMacaroon
+	}
+	return nil
+}
+
 func init() {
 	proto.RegisterType((*GenSeedRequest)(nil), "lnrpc.GenSeedRequest")
 	proto.RegisterType((*GenSeedResponse)(nil), "lnrpc.GenSeedResponse")
@ -464,39 +542,45 @@ func init() {
 func init() { proto.RegisterFile("walletunlocker.proto", fileDescriptor_76e3ed10ed53e4fd) }

 var fileDescriptor_76e3ed10ed53e4fd = []byte{
-	// 510 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x54, 0x4f, 0x6b, 0xdb, 0x4e,
-	0x10, 0x45, 0xf6, 0xcf, 0xbf, 0x92, 0x89, 0x91, 0x92, 0xad, 0x63, 0x14, 0xb5, 0x05, 0x47, 0x50,
-	0xec, 0x52, 0xb0, 0x4b, 0x7a, 0xe9, 0xb5, 0x2e, 0x25, 0xf4, 0x10, 0x08, 0x0e, 0x21, 0xd0, 0x8b,
-	0x2b, 0x4b, 0x83, 0x25, 0x2c, 0xcf, 0x6e, 0x77, 0xe5, 0x8a, 0xf4, 0x13, 0xf4, 0x8b, 0xf4, 0xd4,
-	0x2f, 0x59, 0xbc, 0xbb, 0xfe, 0x17, 0xcb, 0xd0, 0xf6, 0xfa, 0xde, 0xbc, 0xdd, 0x79, 0x6f, 0x66,
-	0x17, 0x5a, 0x65, 0x94, 0xe7, 0x58, 0x2c, 0x28, 0xe7, 0xf1, 0x0c, 0x65, 0x5f, 0x48, 0x5e, 0x70,
-	0xd6, 0xc8, 0x49, 0x8a, 0x38, 0x38, 0x92, 0x22, 0x36, 0x48, 0xf8, 0x05, 0xdc, 0x2b, 0xa4, 0x5b,
-	0xc4, 0x64, 0x84, 0x5f, 0x17, 0xa8, 0x0a, 0xf6, 0x1a, 0x4e, 0x23, 0xfc, 0x8e, 0x98, 0x8c, 0x45,
-	0xa4, 0x94, 0x48, 0x65, 0xa4, 0xd0, 0x77, 0x3a, 0x4e, 0xaf, 0x39, 0x3a, 0x31, 0xc4, 0xcd, 0x1a,
-	0x67, 0x17, 0xd0, 0x54, 0xcb, 0x52, 0xa4, 0x42, 0x72, 0xf1, 0xe0, 0xd7, 0x74, 0xdd, 0xf1, 0x12,
-	0xfb, 0x68, 0xa0, 0x30, 0x07, 0x6f, 0x7d, 0x83, 0x12, 0x9c, 0x14, 0xb2, 0x37, 0xd0, 0x8a, 0x33,
-	0x91, 0xa2, 0x1c, 0x6b, 0xf1, 0x9c, 0x70, 0xce, 0x29, 0x8b, 0x7d, 0xa7, 0x53, 0xef, 0x1d, 0x8d,
-	0x98, 0xe1, 0x96, 0x8a, 0x6b, 0xcb, 0xb0, 0x2e, 0x78, 0x48, 0x06, 0xc7, 0x44, 0xab, 0xec, 0x55,
-	0xee, 0x06, 0x5e, 0x0a, 0xc2, 0x1f, 0x35, 0x38, 0xfd, 0x44, 0x59, 0x71, 0xaf, 0xed, 0xaf, 0x3c,
-	0x75, 0xc1, 0x33, 0x79, 0x68, 0x4f, 0x25, 0x97, 0x89, 0x75, 0xe4, 0x1a, 0xf8, 0xc6, 0xa2, 0x07,
-	0x3b, 0xab, 0x1d, 0xec, 0xac, 0x32, 0xae, 0xfa, 0x81, 0xb8, 0xba, 0xe0, 0x49, 0x8c, 0xf9, 0x37,
-	0x94, 0x0f, 0xe3, 0x32, 0xa3, 0x84, 0x97, 0xfe, 0x7f, 0x1d, 0xa7, 0xd7, 0x18, 0xb9, 0x2b, 0xf8,
-	0x5e, 0xa3, 0x6c, 0x08, 0x5e, 0x9c, 0x46, 0x44, 0x98, 0x8f, 0x27, 0x51, 0x3c, 0x5b, 0x08, 0xe5,
-	0x37, 0x3a, 0x4e, 0xef, 0xf8, 0xf2, 0xbc, 0xaf, 0x47, 0xd8, 0xff, 0x90, 0x46, 0x34, 0xd4, 0xcc,
-	0x2d, 0x45, 0x42, 0xa5, 0xbc, 0x18, 0xb9, 0x56, 0x61, 0x60, 0x15, 0xb6, 0x80, 0x6d, 0x27, 0x61,
-	0xb2, 0x0f, 0x7f, 0x39, 0xf0, 0xf4, 0x4e, 0x6f, 0xc5, 0x3f, 0x46, 0x54, 0xe1, 0xa1, 0xf6, 0xa7,
-	0x1e, 0xea, 0x7f, 0xeb, 0xa1, 0x0d, 0xad, 0xdd, 0x66, 0xad, 0x0b, 0x84, 0xb3, 0xa5, 0x7a, 0x8a,
-	0xab, 0xb6, 0x56, 0x36, 0x5e, 0xc1, 0x49, 0xbc, 0x90, 0x12, 0x69, 0xcf, 0x87, 0x67, 0xf1, 0xb5,
-	0x91, 0x0b, 0x68, 0x12, 0x96, 0x9b, 0x32, 0xbb, 0xbb, 0x84, 0xe5, 0xaa, 0x24, 0xf4, 0xa1, 0xfd,
-	0xf8, 0x1a, 0xd3, 0xc0, 0xe5, 0xcf, 0x1a, 0xb8, 0xa6, 0xa7, 0x3b, 0xfb, 0xc4, 0xd8, 0x3b, 0x78,
-	0x62, 0x17, 0x9d, 0x9d, 0x59, 0x87, 0xbb, 0x4f, 0x2b, 0x68, 0x3f, 0x86, 0xed, 0x7b, 0x78, 0x0f,
-	0xb0, 0x99, 0x14, 0xf3, 0x6d, 0xd5, 0xde, 0x1a, 0x07, 0xe7, 0x15, 0x8c, 0x3d, 0xe2, 0x0a, 0x9a,
-	0xdb, 0x41, 0xb1, 0xc0, 0x96, 0x56, 0x8c, 0x3a, 0x78, 0x56, 0xc9, 0xd9, 0x83, 0xae, 0xc1, 0xdd,
-	0xb5, 0xcc, 0x9e, 0x6f, 0x8d, 0x6b, 0x2f, 0xf0, 0xe0, 0xc5, 0x01, 0xd6, 0x1c, 0x37, 0xec, 0x7e,
-	0x7e, 0x39, 0xcd, 0x8a, 0x74, 0x31, 0xe9, 0xc7, 0x7c, 0x3e, 0xc8, 0xb3, 0x69, 0x5a, 0x50, 0x46,
-	0x53, 0xc2, 0xa2, 0xe4, 0x72, 0x36, 0xc8, 0x29, 0x19, 0x68, 0xfd, 0xe4, 0x7f, 0xfd, 0x1f, 0xbd,
-	0xfd, 0x1d, 0x00, 0x00, 0xff, 0xff, 0x94, 0x54, 0xe3, 0x28, 0xb9, 0x04, 0x00, 0x00,
+	// 599 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x94, 0xdd, 0x6a, 0xdb, 0x4c,
+	0x10, 0x86, 0x91, 0x9d, 0xe4, 0xfb, 0x32, 0x71, 0xe4, 0x64, 0x9b, 0x04, 0xc5, 0x6d, 0xc1, 0x11,
+	0x04, 0xbb, 0x14, 0x9c, 0x36, 0x3d, 0x29, 0xf4, 0xa0, 0x34, 0xa5, 0x84, 0x52, 0x02, 0x41, 0x21,
+	0x04, 0x7a, 0xa2, 0x6e, 0xa4, 0xc1, 0x12, 0x96, 0x67, 0xd5, 0xdd, 0x75, 0x85, 0x7b, 0x3f, 0x3d,
+	0xee, 0x25, 0xf4, 0x1e, 0x7a, 0x45, 0x45, 0xab, 0xb5, 0xf3, 0x63, 0x19, 0xfa, 0x73, 0xfa, 0xcc,
+	0xcc, 0xee, 0xbc, 0xef, 0xcc, 0x2e, 0xec, 0x14, 0x3c, 0xcb, 0x50, 0x4f, 0x28, 0x13, 0xd1, 0x08,
+	0xe5, 0x20, 0x97, 0x42, 0x0b, 0xb6, 0x9a, 0x91, 0xcc, 0xa3, 0xce, 0xba, 0xcc, 0xa3, 0x8a, 0xf8,
+	0x9f, 0xc0, 0x3d, 0x45, 0xba, 0x40, 0x8c, 0x03, 0xfc, 0x3c, 0x41, 0xa5, 0xd9, 0x53, 0xd8, 0xe6,
+	0xf8, 0x15, 0x31, 0x0e, 0x73, 0xae, 0x54, 0x9e, 0x48, 0xae, 0xd0, 0x73, 0xba, 0x4e, 0xbf, 0x15,
+	0x6c, 0x55, 0x81, 0xf3, 0x39, 0x67, 0x07, 0xd0, 0x52, 0x65, 0x2a, 0x92, 0x96, 0x22, 0x9f, 0x7a,
+	0x0d, 0x93, 0xb7, 0x51, 0xb2, 0x77, 0x15, 0xf2, 0x33, 0x68, 0xcf, 0x6f, 0x50, 0xb9, 0x20, 0x85,
+	0xec, 0x19, 0xec, 0x44, 0x69, 0x9e, 0xa0, 0x0c, 0x4d, 0xf1, 0x98, 0x70, 0x2c, 0x28, 0x8d, 0x3c,
+	0xa7, 0xdb, 0xec, 0xaf, 0x07, 0xac, 0x8a, 0x95, 0x15, 0x67, 0x36, 0xc2, 0x7a, 0xd0, 0x46, 0xaa,
+	0x38, 0xc6, 0xa6, 0xca, 0x5e, 0xe5, 0xde, 0xe0, 0xb2, 0xc0, 0xff, 0xde, 0x80, 0xed, 0xf7, 0x94,
+	0xea, 0x2b, 0x23, 0x7f, 0xa6, 0xa9, 0x07, 0xed, 0xca, 0x0f, 0xa3, 0xa9, 0x10, 0x32, 0xb6, 0x8a,
+	0xdc, 0x0a, 0x9f, 0x5b, 0xba, 0xb4, 0xb3, 0xc6, 0xd2, 0xce, 0x6a, 0xed, 0x6a, 0x2e, 0xb1, 0xab,
+	0x07, 0x6d, 0x89, 0x91, 0xf8, 0x82, 0x72, 0x1a, 0x16, 0x29, 0xc5, 0xa2, 0xf0, 0x56, 0xba, 0x4e,
+	0x7f, 0x35, 0x70, 0x67, 0xf8, 0xca, 0x50, 0x76, 0x02, 0xed, 0x28, 0xe1, 0x44, 0x98, 0x85, 0xd7,
+	0x3c, 0x1a, 0x4d, 0x72, 0xe5, 0xad, 0x76, 0x9d, 0xfe, 0xc6, 0xf1, 0xfe, 0xc0, 0x8c, 0x70, 0xf0,
+	0x36, 0xe1, 0x74, 0x62, 0x22, 0x17, 0xc4, 0x73, 0x95, 0x08, 0x1d, 0xb8, 0xb6, 0xa2, 0xc2, 0x8a,
+	0x1d, 0x82, 0xab, 0x34, 0xd7, 0x98, 0xa1, 0x52, 0x61, 0x4a, 0xa9, 0xf6, 0xd6, 0xba, 0x4e, 0xff,
+	0xff, 0x60, 0x73, 0x4e, 0x4b, 0xa3, 0xfc, 0x57, 0xc0, 0x6e, 0x1b, 0x66, 0x47, 0x74, 0x08, 0x2e,
+	0x8f, 0xc7, 0x29, 0x85, 0x63, 0x1e, 0x71, 0x29, 0x04, 0x59, 0xc3, 0x36, 0x0d, 0x3d, 0xb3, 0xd0,
+	0xff, 0xe9, 0xc0, 0x83, 0x4b, 0xb3, 0x63, 0x7f, 0x69, 0x78, 0x8d, 0x23, 0x8d, 0xdf, 0x75, 0xa4,
+	0xf9, 0xef, 0x8e, 0xac, 0xd4, 0x39, 0xb2, 0x07, 0x3b, 0x77, 0x35, 0x55, 0x9e, 0xf8, 0x3f, 0x1c,
+	0xd8, 0x2d, 0x6f, 0x19, 0xe2, 0xac, 0xfd, 0x99, 0xdc, 0x27, 0xb0, 0x15, 0x4d, 0xa4, 0x44, 0x5a,
+	0xd0, 0xdb, 0xb6, 0x7c, 0x2e, 0xf8, 0x00, 0x5a, 0x84, 0xc5, 0x4d, 0x9a, 0x7d, 0x31, 0x84, 0xc5,
+	0x3c, 0x65, 0xb1, 0xcd, 0x66, 0x4d, 0x9b, 0xec, 0x39, 0xec, 0x96, 0x27, 0xcd, 0x06, 0x14, 0x4a,
+	0x21, 0x74, 0x38, 0xc2, 0xa9, 0x15, 0xc5, 0x08, 0x8b, 0xd9, 0x9c, 0x02, 0x21, 0xf4, 0x07, 0x9c,
+	0xfa, 0xaf, 0x61, 0xef, 0xbe, 0x80, 0x3f, 0x9a, 0xf7, 0xf1, 0xb7, 0x06, 0xb8, 0x95, 0x2b, 0x97,
+	0xf6, 0x67, 0x61, 0x2f, 0xe1, 0x3f, 0xfb, 0xbe, 0xd9, 0xae, 0x1d, 0xc5, 0xdd, 0x1f, 0xa5, 0xb3,
+	0x77, 0x1f, 0xdb, 0x3b, 0xdf, 0x00, 0xdc, 0x6c, 0x1e, 0xf3, 0x6c, 0xd6, 0xc2, 0xeb, 0xed, 0xec,
+	0xd7, 0x44, 0xec, 0x11, 0xa7, 0xd0, 0xba, 0x3d, 0x2a, 0xd6, 0xb1, 0xa9, 0x35, 0x3b, 0xd9, 0x79,
+	0x58, 0x1b, 0xb3, 0x07, 0x9d, 0x81, 0x7b, 0xd7, 0x19, 0xf6, 0xe8, 0xd6, 0x5e, 0x2d, 0x4c, 0xbc,
+	0xf3, 0x78, 0x49, 0xb4, 0x3a, 0xee, 0xa4, 0xf7, 0xf1, 0x70, 0x98, 0xea, 0x64, 0x72, 0x3d, 0x88,
+	0xc4, 0xf8, 0x28, 0x4b, 0x87, 0x89, 0xa6, 0x94, 0x86, 0x84, 0xba, 0x10, 0x72, 0x74, 0x94, 0x51,
+	0x7c, 0x64, 0xea, 0xaf, 0xd7, 0xcc, 0x37, 0xfc, 0xe2, 0x57, 0x00, 0x00, 0x00, 0xff, 0xff, 0xf8,
+	0x7a, 0x3b, 0x08, 0xb0, 0x05, 0x00, 0x00,
 }

 // Reference imports to suppress errors if they are not otherwise used.
--- a/lnrpc/walletunlocker.proto
+++ b/lnrpc/walletunlocker.proto
@ -141,8 +141,24 @@ message InitWalletRequest {
    recover the funds in each channel from a remote force closed transaction.
    */
    ChanBackupSnapshot channel_backups = 5;
+
+    /*
+    stateless_init is an optional argument instructing the daemon NOT to create
+    any *.macaroon files in its filesystem. If this parameter is set, then the
+    admin macaroon returned in the response MUST be stored by the caller of the
+    RPC as otherwise all access to the daemon will be lost!
+    */
+    bool stateless_init = 6;
 }
 message InitWalletResponse {
+    /*
+    The binary serialized admin macaroon that can be used to access the daemon
+    after creating the wallet. If the stateless_init parameter was set to true,
+    this is the ONLY copy of the macaroon and MUST be stored safely by the
+    caller. Otherwise a copy of this macaroon is also persisted on disk by the
+    daemon, together with other macaroon files.
+    */
+    bytes admin_macaroon = 1;
 }

 message UnlockWalletRequest {
@ -171,6 +187,12 @@ message UnlockWalletRequest {
    recover the funds in each channel from a remote force closed transaction.
    */
    ChanBackupSnapshot channel_backups = 3;
+
+    /*
+    stateless_init is an optional argument instructing the daemon NOT to create
+    any *.macaroon files in its file system.
+    */
+    bool stateless_init = 4;
 }
 message UnlockWalletResponse {
 }
@ -187,6 +209,30 @@ message ChangePasswordRequest {
    daemon. When using REST, this field must be encoded as base64.
    */
    bytes new_password = 2;
+
+    /*
+    stateless_init is an optional argument instructing the daemon NOT to create
+    any *.macaroon files in its filesystem. If this parameter is set, then the
+    admin macaroon returned in the response MUST be stored by the caller of the
+    RPC as otherwise all access to the daemon will be lost!
+    */
+    bool stateless_init = 3;
+
+    /*
+    new_macaroon_root_key is an optional argument instructing the daemon to
+    rotate the macaroon root key when set to true. This will invalidate all
+    previously generated macaroons.
+    */
+    bool new_macaroon_root_key = 4;
 }
 message ChangePasswordResponse {
-}
+    /*
+    The binary serialized admin macaroon that can be used to access the daemon
+    after rotating the macaroon root key. If both the stateless_init and
+    new_macaroon_root_key parameter were set to true, this is the ONLY copy of
+    the macaroon that was created from the new root key and MUST be stored
+    safely by the caller. Otherwise a copy of this macaroon is also persisted on
+    disk by the daemon, together with other macaroon files.
+    */
+    bytes admin_macaroon = 1;
+}
--- a/lnrpc/walletunlocker.swagger.json
+++ b/lnrpc/walletunlocker.swagger.json
@ -180,11 +180,28 @@
          "type": "string",
          "format": "byte",
          "description": "new_password should be the new passphrase that will be needed to unlock the\ndaemon. When using REST, this field must be encoded as base64."
+        },
+        "stateless_init": {
+          "type": "boolean",
+          "format": "boolean",
+          "title": "stateless_init is an optional argument instructing the daemon NOT to create\nany *.macaroon files in its filesystem. If this parameter is set, then the\nadmin macaroon returned in the response MUST be stored by the caller of the\nRPC as otherwise all access to the daemon will be lost!"
+        },
+        "new_macaroon_root_key": {
+          "type": "boolean",
+          "format": "boolean",
+          "description": "new_macaroon_root_key is an optional argument instructing the daemon to\nrotate the macaroon root key when set to true. This will invalidate all\npreviously generated macaroons."
        }
      }
    },
    "lnrpcChangePasswordResponse": {
-      "type": "object"
+      "type": "object",
+      "properties": {
+        "admin_macaroon": {
+          "type": "string",
+          "format": "byte",
+          "description": "The binary serialized admin macaroon that can be used to access the daemon\nafter rotating the macaroon root key. If both the stateless_init and\nnew_macaroon_root_key parameter were set to true, this is the ONLY copy of\nthe macaroon that was created from the new root key and MUST be stored\nsafely by the caller. Otherwise a copy of this macaroon is also persisted on\ndisk by the daemon, together with other macaroon files."
+        }
+      }
    },
    "lnrpcChannelBackup": {
      "type": "object",
@ -276,11 +293,23 @@
        "channel_backups": {
          "$ref": "#/definitions/lnrpcChanBackupSnapshot",
          "description": "channel_backups is an optional argument that allows clients to recover the\nsettled funds within a set of channels. This should be populated if the\nuser was unable to close out all channels and sweep funds before partial or\ntotal data loss occurred. If specified, then after on-chain recovery of\nfunds, lnd begin to carry out the data loss recovery protocol in order to\nrecover the funds in each channel from a remote force closed transaction."
+        },
+        "stateless_init": {
+          "type": "boolean",
+          "format": "boolean",
+          "title": "stateless_init is an optional argument instructing the daemon NOT to create\nany *.macaroon files in its filesystem. If this parameter is set, then the\nadmin macaroon returned in the response MUST be stored by the caller of the\nRPC as otherwise all access to the daemon will be lost!"
        }
      }
    },
    "lnrpcInitWalletResponse": {
-      "type": "object"
+      "type": "object",
+      "properties": {
+        "admin_macaroon": {
+          "type": "string",
+          "format": "byte",
+          "description": "The binary serialized admin macaroon that can be used to access the daemon\nafter creating the wallet. If the stateless_init parameter was set to true,\nthis is the ONLY copy of the macaroon and MUST be stored safely by the\ncaller. Otherwise a copy of this macaroon is also persisted on disk by the\ndaemon, together with other macaroon files."
+        }
+      }
    },
    "lnrpcMultiChanBackup": {
      "type": "object",
@ -315,6 +344,11 @@
        "channel_backups": {
          "$ref": "#/definitions/lnrpcChanBackupSnapshot",
          "description": "channel_backups is an optional argument that allows clients to recover the\nsettled funds within a set of channels. This should be populated if the\nuser was unable to close out all channels and sweep funds before partial or\ntotal data loss occurred. If specified, then after on-chain recovery of\nfunds, lnd begin to carry out the data loss recovery protocol in order to\nrecover the funds in each channel from a remote force closed transaction."
+        },
+        "stateless_init": {
+          "type": "boolean",
+          "format": "boolean",
+          "description": "stateless_init is an optional argument instructing the daemon NOT to create\nany *.macaroon files in its file system."
        }
      }
    },