Many people have been asking and/or confused by the different usernames, passwords, and passphrases involved. I thought it would be a good idea to compile this information in one place for easy reference. In regards to dcrd, dcrwallet, and dcrctl there are effectively 2 usernames and 4 passwords/passphrases involved. It easiest to break these down into 3 categories as follows: One username/password pair is used for the dcrd RPC server authentication. Whenever you run dcrd with the --rpcuser (-u) and --rpcpass (-P) options, you are indicating that you would like for dcrd to run an RPC server that is protected by those credentials. Another username/password pair is used for the dcrwallet RPC server authentication. Whenever you run dcrwallet with the --username (-u) and --password (-P) options, you are indicating that you would like for dcrwallet to run an RPC server that is protected by those credentials and to connect to dcrd using the same credentials. It is possible to have different credentials for both servers, in which case you can use the --dcrdusername and --dcrdpassword parameters to configure wallet to connect to the dcrd RPC server using those different credentials. The wallet encryption public and private passphrases. These are the passphrases you entered when creating the wallet. The private encryption passphrase is required, however the public encryption passphrase is optional. If you chose to use public encryption, the public encryption passphrase is specified to dcrwallet with the --walletpass option. These encryption passphrases have to do with how the data on disk and in memory is encrypted. All private keys are encrypted via your private encryption passphrase, while public information is (optionally) encrypted via your public encryption passphrase. This is why the wallet requires you to unlock it with the private encryption passphrase in order to sign transactions (which is required in order to send funds, purchase tickets, and vote).
Hi @davecgh, how can I configure dcrctl to work without specifying -u and -P? for dcrd I created config file: /home/dyrk/.dcrd/dcrd.conf Code: rpcuser=dyrk rpcpass=123 for dcrwallet I created config file: /home/dyrk/.dcrwallet/dcrwallet.conf Code: username=dyrk password=123 And now both work as expected without -u and -P parameters in command line. But dcrctl still throws error "401 Unauthorized." and I didn't find config example for it in wiki.
@Dyrk Code: $ dcrctl -h ... -C, --configfile: Path to configuration file (/home/davec/.dcrctl/dcrctl.conf) -u, --rpcuser: RPC username -P, --rpcpass: RPC password ... So, you create ~/.dcrctl/dcrctl.conf with: Code: rpcuser=dyrk rpcpass=123
From what I understand, I think wallet passphrase is the most important since it's needed for unlocking our wallet and send funds to somewhere else. But can you explain me what would be the point of a passphrase for public data even on Mainnet?
I answered in another thread, but I'll copy it here for visibility as well. There are several pieces of "pseudo public" information which are still useful to protect against general public knowledge for the privacy conscious among us. For example, all addresses are generated deterministically, so each account has an extended public key associated with. If you don't have your local wallet database encrypting those extended public keys, anyone who got your wallet database would then easily be able to determine every address you have used and will ever use. With that information they could then determine your exact balances and track every single transaction involving you for as long as you continue using the same seed. Note that this doesn't mean they could actually steal your coins or anything as those details are encrypted by the private passphrase you are required to have.
Aye, I was just posting it here for visibility purposes. People trying to understand the different usernames and passphrases will likely be looking at this thread, so I thought it would be useful to have it consolidated a little more.
I not have user and pass, i have only 30 words, decred adress, decred id and HEX What to do to get the user and pass for all programs?
They can be anything you want them to be! They are your own personal usernames/passwords you want to use to protect your setup.
Are there any characters we've better avoid on those passphrases for possible compatibility issues? Also can some please post the commands for changing the passphrases and maybe also the command to make a public passphrase afterwards? (If all these are possible)
As long as you enclose the password with quotes on the command line, there shouldn't be any issue except one -- if the password itself contains a quote, in that case you'd need to escape it (standard command line stuff). I should note that I recommend using config files to avoid these issues altogether. First, you don't have to worry about quoting or anything, and second, it won't be in your command line history.
What are the security implications of using the same RPC server authentication passwords with dcrd and dcrwallet?
There is a lot less you can do with access to dcrd than you can to dcrwallet. The key point is that RPC access to dcrwallet, when the wallet is unlocked, can be used to spend coins. When they're both on the same machine, it probably doesn't matter all that much, but when you're running more secure setups where the wallet is on a separate machine than dcrd, you would pretty clearly not want to use the same credentials for both. Remember that dcrd has to be on an internet facing machine in order to stay synced to the network (download the block chain data, broadcast transactions, etc). On the other hand, the dcrwallet that contains your funds, for best security, should really not be on a system that has internet access as it's infinitely more difficult for someone to steal your coins if the wallet that contains them isn't even on a machine that is accessible via the internet. Obviously, if you are staking your coins, you will need at least one internet-facing dcrwallet instance. Thus, the most secure setup involves having one "cold" dcrwallet instance that is on a machine that is not internet accessible, and a second "hot" dcrwallet instance (using a different seed of course) to which the cold dcrwallet instance delegates voting right via the --ticketaddress parameter, both of which use different credentials. This setup is described on the wiki.
Wallet.db contain public and private keys, and if i dont use public encryption passphrase public keys stored as a plain text?
For all intents and purposes, yes. Technically it's stored encrypted too, but it's encrypted with a well-known and hard-coded password in the code if you don't specify it, so it's trivial for anyone to decrypt it using that information. Ergo, yes, it's effectively plain text in that case.