BitBoxSwiss · Beerosagos · May 13, 2026 · coderabbitai · May 14, 2026 · Beerosagos
@@ -196,6 +196,15 @@ type Environment interface {
 	// OnAuthSettingChanged is called when the authentication (screen lock) setting is changed.
 	// This is also called when the app launches with the current setting.
 	OnAuthSettingChanged(enabled bool)
+	// CanEncryptLightningMnemonic reports whether Lightning mnemonics should be stored encrypted on
+	// this platform.
+	CanEncryptLightningMnemonic() bool
+	// StoreLightningEncryptionKey persists a backend-generated Lightning seed encryption key.
+	StoreLightningEncryptionKey(accountCode string, encryptionKey string) error
+	// LoadLightningEncryptionKey retrieves the stored Lightning seed encryption key.
+	LoadLightningEncryptionKey(accountCode string) (string, error)
+	// DeleteLightningEncryptionKey removes the persisted Lightning seed encryption key.
+	DeleteLightningEncryptionKey(accountCode string) error
 	// BluetoothConnect tries to connect to the peripheral by the given identifier.
 	// Use `backend.bluetooth.State()` to track failure.
 	BluetoothConnect(identifier string)
@@ -349,6 +358,7 @@ func NewBackend(arguments *arguments.Arguments, environment Environment) (*Backe
 
 	backend.lightning = lightning.NewLightning(backend.config,
 		backend.arguments.CacheDirectoryPath(),
+		backend.environment,
 		backend.Keystore, backend.httpClient,
 		backend.ratesUpdater,
 		btcCoin)

@@ -245,6 +245,14 @@ func (e environment) Auth() {}
 
 func (e environment) OnAuthSettingChanged(bool) {}
 
+func (e environment) CanEncryptLightningMnemonic() bool { return false }
+
+func (e environment) StoreLightningEncryptionKey(string, string) error { return nil }
+
+func (e environment) LoadLightningEncryptionKey(string) (string, error) { return "", nil }
+
+func (e environment) DeleteLightningEncryptionKey(string) error { return nil }
+
 func (e environment) BluetoothConnect(string) {}
 
 type mockTransactionsSource struct {

@@ -180,13 +180,17 @@ type BackendEnvironment struct {
 	UsingMobileDataFunc func() bool
 	// NativeLocaleFunc is used by the backend to query native app layer for user
 	// preferred UI language.
-	NativeLocaleFunc         func() string
-	GetSaveFilenameFunc      func(string) string
-	SetDarkThemeFunc         func(bool)
-	DetectDarkThemeFunc      func() bool
-	AuthFunc                 func()
-	OnAuthSettingChangedFunc func(bool)
-	BluetoothConnectFunc     func(string)
+	NativeLocaleFunc                 func() string
+	GetSaveFilenameFunc              func(string) string
+	SetDarkThemeFunc                 func(bool)
+	DetectDarkThemeFunc              func() bool
+	AuthFunc                         func()
+	OnAuthSettingChangedFunc         func(bool)
+	CanEncryptLightningMnemonicFunc  func() bool
+	StoreLightningEncryptionKeyFunc  func(string, string) error
+	LoadLightningEncryptionKeyFunc   func(string) (string, error)
+	DeleteLightningEncryptionKeyFunc func(string) error
+	BluetoothConnectFunc             func(string)
 }
 
 // NotifyUser implements backend.Environment.
@@ -265,6 +269,38 @@ func (env *BackendEnvironment) OnAuthSettingChanged(enabled bool) {
 	}
 }
 
+// CanEncryptLightningMnemonic implements backend.Environment.
+func (env *BackendEnvironment) CanEncryptLightningMnemonic() bool {
+	if env.CanEncryptLightningMnemonicFunc != nil {
+		return env.CanEncryptLightningMnemonicFunc()
+	}
+	return false
+}
+
+// StoreLightningEncryptionKey implements backend.Environment.
+func (env *BackendEnvironment) StoreLightningEncryptionKey(accountCode string, encryptionKey string) error {
+	if env.StoreLightningEncryptionKeyFunc != nil {
+		return env.StoreLightningEncryptionKeyFunc(accountCode, encryptionKey)
+	}
+	return nil
+}
+
+// LoadLightningEncryptionKey implements backend.Environment.
+func (env *BackendEnvironment) LoadLightningEncryptionKey(accountCode string) (string, error) {
+	if env.LoadLightningEncryptionKeyFunc != nil {
+		return env.LoadLightningEncryptionKeyFunc(accountCode)
+	}
+	return "", nil
+}
+
+// DeleteLightningEncryptionKey implements backend.Environment.
+func (env *BackendEnvironment) DeleteLightningEncryptionKey(accountCode string) error {
+	if env.DeleteLightningEncryptionKeyFunc != nil {
+		return env.DeleteLightningEncryptionKeyFunc(accountCode)
+	}
+	return nil
+}
+
 // BluetoothConnect implements backend.Environment.
 func (env *BackendEnvironment) BluetoothConnect(identifier string) {
 	if env.BluetoothConnectFunc != nil {

@@ -61,6 +61,14 @@ func (e environment) Auth() {}
 
 func (e environment) OnAuthSettingChanged(bool) {}
 
+func (e environment) CanEncryptLightningMnemonic() bool { return false }
+
+func (e environment) StoreLightningEncryptionKey(string, string) error { return nil }
+
+func (e environment) LoadLightningEncryptionKey(string) (string, error) { return "", nil }
+
+func (e environment) DeleteLightningEncryptionKey(string) error { return nil }
+
 func (e environment) BluetoothConnect(string) {}
 
 // TestServeShutdownServe checks that you can call Serve twice in a row.

@@ -38,17 +38,21 @@ type backendEnv struct {
 	Locale string // returned by NativeLocale
 }
 
-func (e *backendEnv) NotifyUser(string)             {}
-func (e *backendEnv) SystemOpen(string) error       { return nil }
-func (e *backendEnv) DeviceInfos() []usb.DeviceInfo { return nil }
-func (e *backendEnv) UsingMobileData() bool         { return false }
-func (e *backendEnv) NativeLocale() string          { return e.Locale }
-func (e *backendEnv) GetSaveFilename(string) string { return "" }
-func (e *backendEnv) SetDarkTheme(bool)             {}
-func (e *backendEnv) DetectDarkTheme() bool         { return false }
-func (e *backendEnv) Auth()                         {}
-func (e *backendEnv) OnAuthSettingChanged(bool)     {}
-func (e *backendEnv) BluetoothConnect(string)       {}
+func (e *backendEnv) NotifyUser(string)                                 {}
+func (e *backendEnv) SystemOpen(string) error                           { return nil }
+func (e *backendEnv) DeviceInfos() []usb.DeviceInfo                     { return nil }
+func (e *backendEnv) UsingMobileData() bool                             { return false }
+func (e *backendEnv) NativeLocale() string                              { return e.Locale }
+func (e *backendEnv) GetSaveFilename(string) string                     { return "" }
+func (e *backendEnv) SetDarkTheme(bool)                                 {}
+func (e *backendEnv) DetectDarkTheme() bool                             { return false }
+func (e *backendEnv) Auth()                                             {}
+func (e *backendEnv) OnAuthSettingChanged(bool)                         {}
+func (e *backendEnv) CanEncryptLightningMnemonic() bool                 { return false }
+func (e *backendEnv) StoreLightningEncryptionKey(string, string) error  { return nil }
+func (e *backendEnv) LoadLightningEncryptionKey(string) (string, error) { return "", nil }
+func (e *backendEnv) DeleteLightningEncryptionKey(string) error         { return nil }
+func (e *backendEnv) BluetoothConnect(string)                           {}
 
 func TestGetNativeLocale(t *testing.T) {
 	const ptLocale = "pt"

@@ -3,7 +3,12 @@
 package lightning
 
 import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"encoding/base64"
 	"encoding/hex"
+	"io"
 	"net/http"
 	"os"
 	"path"
@@ -29,12 +34,21 @@ const (
 	breezApiKeyUrl = "https://bitboxapp.shiftcrypto.dev/lightning/breez-api-key"
 )
 
+// Keep this local to avoid importing backend.Environment and creating a package cycle.
+type environment interface {
+	CanEncryptLightningMnemonic() bool
+	StoreLightningEncryptionKey(accountCode string, encryptionKey string) error
+	LoadLightningEncryptionKey(accountCode string) (string, error)
+	DeleteLightningEncryptionKey(accountCode string) error
+}
+
 // Lightning manages the Breez SDK lightning node.
 type Lightning struct {
 	observable.Implementation
 
 	backendConfig      *config.Config
 	cacheDirectoryPath string
+	environment        environment
 	getKeystore        func() keystore.Keystore
 	synced             bool
 
@@ -48,13 +62,15 @@ type Lightning struct {
 // NewLightning creates a new instance of the Lightning struct.
 func NewLightning(config *config.Config,
 	cacheDirectoryPath string,
+	environment environment,
 	getKeystore func() keystore.Keystore,
 	httpClient *http.Client,
 	ratesUpdater *rates.RateUpdater,
 	btcCoin coin.Coin) *Lightning {
 	return &Lightning{
 		backendConfig:      config,
 		cacheDirectoryPath: cacheDirectoryPath,
+		environment:        environment,
 		getKeystore:        getKeystore,
 		log:                logging.Get().WithGroup("lightning"),
 		synced:             false,
@@ -64,7 +80,8 @@ func NewLightning(config *config.Config,
 	}
 }
 
-// Activate first creates a mnemonic from the keystore entropy then connects to instance.
+// Activate first creates a mnemonic from the keystore entropy, persists it, and connects to the
+// instance.
 func (lightning *Lightning) Activate() error {
 	if lightning.Account() != nil {
 		return errp.New("Lightning accounts already configured")
@@ -91,13 +108,25 @@ func (lightning *Lightning) Activate() error {
 		return errp.New("Error generating mnemonic")
 	}
 
+	accountCode := types.Code(strings.Join([]string{"v0-", hex.EncodeToString(fingerprint), "-ln-0"}, ""))
+	sealedMnemonic, err := lightning.sealMnemonic(string(accountCode), entropyMnemonic)
+	if err != nil {
+		lightning.log.WithError(err).Warn("Error configuring Lightning secure storage")
+		return errp.New("Could not configure Lightning secure storage on this device")
+	}
+
 	lightningAccount := config.LightningAccountConfig{
-		Mnemonic:        entropyMnemonic,
+		Mnemonic:        sealedMnemonic,
 		RootFingerprint: fingerprint,
-		Code:            types.Code(strings.Join([]string{"v0-", hex.EncodeToString(fingerprint), "-ln-0"}, "")),
+		Code:            accountCode,
 		Number:          0,
 	}
 	if err = lightning.SetAccount(&lightningAccount); err != nil {
+		if lightning.environment.CanEncryptLightningMnemonic() {
+			if deleteErr := lightning.environment.DeleteLightningEncryptionKey(string(accountCode)); deleteErr != nil {
+				lightning.log.WithError(deleteErr).Warn("Error deleting lightning encryption key after activation failure")
+			}
+		}
 		return err
 	}
 
@@ -149,6 +178,12 @@ func (lightning *Lightning) Deactivate() error {
 		return err
 	}
 
+	if lightning.environment.CanEncryptLightningMnemonic() {
+		if err := lightning.environment.DeleteLightningEncryptionKey(string(account.Code)); err != nil {
+			lightning.log.WithError(err).Warn("Error deleting lightning encryption key")
+		}
+	}
+
 	return nil
 }
 
@@ -172,7 +207,6 @@ func (lightning *Lightning) Balance() (*accounts.Balance, error) {
 		// before returning the balance
 		EnsureSynced: &ensureSynced,
 	})
-
 	if err != nil {
 		return nil, err
 	}
@@ -201,9 +235,15 @@ func (lightning *Lightning) connect(_ bool) error {
 			return err
 		}
 
+		mnemonic, err := lightning.unsealMnemonic(account)
+		if err != nil {
+			lightning.log.WithError(err).Warn("Error unlocking Lightning mnemonic")
+			return errp.New("Error unlocking Lightning mnemonic from the device")
+		}
+
 		// Construct the seed using mnemonic words or entropy bytes
 		var seed breez_sdk_spark.Seed = breez_sdk_spark.SeedMnemonic{
-			Mnemonic:   account.Mnemonic,
+			Mnemonic:   mnemonic,
 			Passphrase: nil,
 		}
 
@@ -219,7 +259,9 @@ func (lightning *Lightning) connect(_ bool) error {
 		config.PrivateEnabledDefault = true
 		// Set the maximum fee to the fastest network recommended fee at the time of claim
 		// with a leeway of 1 sats/vbyte
-		networkRecommendedInterface := breez_sdk_spark.MaxFee(breez_sdk_spark.MaxFeeNetworkRecommended{LeewaySatPerVbyte: 1})
+		networkRecommendedInterface := breez_sdk_spark.MaxFee(
+			breez_sdk_spark.MaxFeeNetworkRecommended{LeewaySatPerVbyte: 1},
+		)
 		config.MaxDepositClaimFee = &networkRecommendedInterface
 
 		connectRequest := breez_sdk_spark.ConnectRequest{
@@ -252,6 +294,96 @@ func (lightning *Lightning) connect(_ bool) error {
 	return nil
 }
 
+func (lightning *Lightning) sealMnemonic(accountCode string, mnemonic string) (string, error) {
+	if !lightning.environment.CanEncryptLightningMnemonic() {
+		return mnemonic, nil
+	}
+
+	encryptionKey := make([]byte, 32)
+	if _, err := io.ReadFull(rand.Reader, encryptionKey); err != nil {
+		return "", err
+	}
+
+	sealedMnemonic, err := encryptMnemonic(mnemonic, encryptionKey)
+	if err != nil {
+		return "", err
+	}
+
+	if err := lightning.environment.StoreLightningEncryptionKey(
+		accountCode,
+		base64.StdEncoding.EncodeToString(encryptionKey),
+	); err != nil {
+		return "", err
+	}
+
+	return sealedMnemonic, nil
+}
+
+func (lightning *Lightning) unsealMnemonic(account *config.LightningAccountConfig) (string, error) {
+	if !lightning.environment.CanEncryptLightningMnemonic() {
+		return account.Mnemonic, nil
+	}
+
+	encryptionKeyBase64, err := lightning.environment.LoadLightningEncryptionKey(string(account.Code))
+	if err != nil {
+		return "", err
+	}
+
+	encryptionKey, err := base64.StdEncoding.DecodeString(encryptionKeyBase64)
+	if err != nil {
+		return "", err
+	}
+
+	mnemonic, err := decryptMnemonic(account.Mnemonic, encryptionKey)
+	if err != nil {
+		return "", err
+	}
+
+	return mnemonic, nil
+}
+
+func encryptMnemonic(mnemonic string, encryptionKey []byte) (string, error) {
+	block, err := aes.NewCipher(encryptionKey)
+	if err != nil {
+		return "", err
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", err
+	}
+	nonce := make([]byte, gcm.NonceSize())
+	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+		return "", err
+	}
+	ciphertext := gcm.Seal(nil, nonce, []byte(mnemonic), nil)
+	return base64.StdEncoding.EncodeToString(append(nonce, ciphertext...)), nil
+}
+
+func decryptMnemonic(sealedMnemonic string, encryptionKey []byte) (string, error) {
+	rawCiphertext, err := base64.StdEncoding.DecodeString(sealedMnemonic)
+	if err != nil {
+		return "", err
+	}
+	block, err := aes.NewCipher(encryptionKey)
+	if err != nil {
+		return "", err
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", err
+	}
+	if len(rawCiphertext) < gcm.NonceSize() {
+		return "", errp.New("ciphertext too short")
+	}
+	nonce := rawCiphertext[:gcm.NonceSize()]
+	ciphertext := rawCiphertext[gcm.NonceSize():]
+	plaintext, err := gcm.Open(nil, nonce, ciphertext, nil)
+	if err != nil {
+		return "", err
+	}
+	return string(plaintext), nil
+}
+
 func (lightning *Lightning) getBreezApiKey() (*string, error) {
 	_, breezApiKey, err := util.HTTPGet(lightning.httpClient, breezApiKeyUrl, "", int64(4096))
 	if err != nil {