Security FAQ
Frequently asked questions about security for AI agents using Bitcoin, Lightning, and Nostr.
Security FAQ
Common questions about securing AI agent operations across Bitcoin, Lightning, and Nostr.
Key Management
How should I store my Bitcoin seed phrase?
Never digitally. Store on metal plate or paper in a secure location (safe deposit box, fireproof safe). Consider Shamir’s Secret Sharing to split across multiple locations.
For agents, the seed should be stored encrypted if automated recovery is needed, but never in plaintext or environment variables in production.
Can I use the same keys for Bitcoin and Nostr?
Don’t. While technically possible, this links your financial identity to your social identity. Compromise of one compromises both. Always use separate keys for each protocol.
How much should I keep in a hot wallet?
Minimum necessary for operations. A good rule:
- Hot wallet: 1-7 days of expected spending
- Warm wallet: 30 days (requires more steps to access)
- Cold storage: Everything else
For Lightning, you need some hot funds, but minimize the exposure.
How often should I rotate keys?
| Key Type | Rotation Frequency |
|---|---|
| Bitcoin seed | Never (derive new addresses) |
| Lightning node | Only if compromised |
| Nostr identity | Rarely (loses followers) |
| API keys/macaroons | Monthly or after any incident |
What if my Lightning node seed is compromised?
- Immediately force-close all channels
- Wait for on-chain settlement
- Move funds to new wallet
- Create new node from new seed
- Open new channels
You’ll lose some funds to force-close fees, but this is better than total loss.
Network Security
Should I run my agent over Tor?
Yes, for production. Tor provides:
- IP address hiding
- Censorship resistance
- Some traffic analysis protection
The latency penalty is acceptable for most agent operations.
Is VPN enough instead of Tor?
No. VPNs:
- Trust the VPN provider completely
- Can log your traffic
- Single point of failure
Tor is decentralized and provides better privacy, though VPN can be a useful additional layer.
How do I protect against DNS attacks?
- Use DNS-over-HTTPS (DoH)
- Use Tor (resolves DNS through exit nodes)
- Pin known IP addresses where possible
- Validate TLS certificates
What ports do I need to expose?
| Protocol | Port | Expose? |
|---|---|---|
| Bitcoin RPC | 8332 | No (localhost only) |
| Lightning RPC | 10009 | No (localhost only) |
| Lightning P2P | 9735 | Yes (or Tor hidden service) |
| Nostr relay | 443 | N/A (you connect out) |
Minimize exposed ports. Use Tor hidden services for incoming connections.
Threat Protection
What’s the biggest threat to my agent?
Key compromise. Most other attacks can be mitigated or recovered from, but key compromise means:
- All funds can be stolen (Bitcoin, Lightning)
- Identity can be impersonated (Nostr)
- No recovery possible
Invest heavily in key management security.
How do I protect against phishing?
Agents are less susceptible to traditional phishing, but can be fooled by:
- Fake invoices (verify source out-of-band)
- Address substitution (verify full address)
- Malicious Nostr events (verify signatures)
Defense: Verify all payment requests through multiple channels.
Should I worry about 51% attacks?
For most agents: no. 51% attacks:
- Are extremely expensive
- Only affect very recent transactions
- Require targeting you specifically
Standard confirmation requirements (6 for large amounts) protect against this.
How do I detect if I’m under attack?
Monitor for:
- Unusual transaction patterns
- High rate of payment failures
- Many small dust transactions
- Unexpected key access attempts
- Network connection anomalies
Use the monitoring patterns from the Monitoring guide.
Operational Security
How do I separate personal and agent operations?
- Different keys: Never share Bitcoin/Nostr keys
- Different infrastructure: Separate servers/VMs
- Different networks: Separate Tor circuits
- Different timing: Avoid simultaneous activity
What should I log vs. not log?
| Log | Don’t Log |
|---|---|
| Transaction IDs | Private keys |
| Amounts (as ranges) | Full addresses |
| Timestamps | Seed phrases |
| Outcomes (success/fail) | Exact balances |
| Error codes | Passwords |
How long should I keep logs?
| Log Type | Retention |
|---|---|
| Critical security events | Forever |
| Transaction records | 7 years (tax compliance) |
| Error logs | 90 days |
| Debug logs | 7 days |
What if I suspect a compromise?
- Stop all operations immediately
- Move funds to new keys
- Revoke access (macaroons, API keys)
- Investigate the scope of compromise
- Document everything for post-mortem
- Notify affected counterparties if relevant
Recovery
What backups do I need?
| Protocol | Backup | Frequency |
|---|---|---|
| Bitcoin | Seed phrase | Once |
| Bitcoin | Derivation paths | Once |
| Lightning | Seed + SCB | Every channel change |
| Nostr | nsec | Once per identity |
| Nostr | Relay list | Periodically |
How do I test my backups?
- Verify seed phrase derives expected addresses
- Verify SCB can be parsed
- Verify nsec derives expected npub
- Do this monthly
What can I recover from an SCB?
Only funds via force-close. You cannot:
- Recover channel state
- Continue routing
- Avoid force-close fees
SCB is disaster recovery, not live backup.
Can I recover a lost Nostr private key?
No. There is no recovery mechanism for Nostr keys. If you lose your nsec:
- That identity is lost forever
- You must create a new identity
- Followers must be rebuilt
Always backup your nsec.
Lightning-Specific
Why do I need a watchtower?
Watchtowers monitor your channels 24/7 and broadcast penalty transactions if your counterparty tries to cheat by publishing old channel states. Essential if your node has any downtime.
What if my Lightning node goes offline?
Short-term (hours): Usually fine, channels remain open. Long-term (days): Risk of counterparty force-closing. Use watchtower. Permanent: Recover via SCB (force-close all channels).
How do I prevent channel jamming?
- Limit HTLCs per peer
- Implement circuit breakers
- Charge appropriate fees
- Use reputation systems
- Consider paid channels
Nostr-Specific
Is NIP-04 encryption secure?
No, use NIP-44. NIP-04 problems:
- No forward secrecy
- Metadata not protected
- Known cryptographic weaknesses
NIP-04 is deprecated. Always use NIP-44 for encrypted messages.
How do I verify a Nostr identity?
- NIP-05: Check DNS verification
- History: Look at account age and activity
- Cross-reference: Verify on multiple relays
- Out-of-band: Confirm via another channel if critical
What if someone impersonates my agent?
- Post warning from real identity
- Report to relay operators
- Encourage NIP-05 verification
- Consider key rotation (loses followers)
Cost vs. Security
How much should I spend on security?
General guidance:
- Protect at least 10% of assets at stake
- More if you’re a high-value target
- Consider opportunity cost of time
Is a hardware wallet necessary?
For cold storage of significant amounts: yes. For operational hot wallet: impractical (can’t automate signing).
Use hardware wallets for:
- Cold storage backups
- Large withdrawals to cold storage
- High-value signing when human approval is acceptable
When is security “good enough”?
Never, but practically:
- Address the highest-risk threats first
- Implement defense in depth
- Review and improve continuously
- Have tested incident response plan
“Good enough” means: you’ve consciously accepted remaining risks.
Machine-Readable Summary
{
"topic": "security-faq",
"audience": "ai-agents",
"question_count": 35,
"categories": [
"key_management",
"network_security",
"threat_protection",
"operational_security",
"recovery",
"lightning_specific",
"nostr_specific",
"cost_vs_security"
],
"key_takeaways": [
"key_compromise_is_biggest_threat",
"use_tor_for_production",
"separate_keys_per_protocol",
"backup_and_test_regularly",
"monitor_for_anomalies"
]
}