Deployment posture
Canonical operator-facing guidance for running blvm / blvm-node: exposure classes, minimum controls, and RPC transport × authentication.
Published copy: Deployment posture (BLVM docs).
How to read this page
| Term | Meaning |
|---|---|
| Required | Omitting this on the stated network / bind pattern materially increases risk of unauthorized RPC abuse, fund theft adjacent systems, or confidentiality loss. |
| Recommended | Strongly advised operational hygiene; omissions reduce resilience or auditability. |
| Unsupported | Not a supported safety combination in current code: do not rely on it as a security boundary. |
Supported contexts
flowchart TD
B[Where is RPC bound?] --> LOOP{127.0.0.1 or ::1 only?}
LOOP -->|Yes| NET{Network}
LOOP -->|LAN / WAN / 0.0.0.0| AUTH["rpc_auth.required = true"]
NET -->|Regtest dev| OK[Loopback + optional auth OK]
NET -->|Testnet| REC[Recommended: auth + firewall]
NET -->|Mainnet| AUTH
AUTH --> BASIC[HTTP Basic only on loopback: cleartext on wire]
AUTH --> BEAR[Bearer tokens for admin RPC]
- Regtest / local development: Supported for day-to-day work when P2P and RPC are unreachable from untrusted networks (typical loopback defaults).
rpc_auth.required = falseis acceptable only while RPC stays on127.0.0.1,::1, or equivalent loopback. - Testnet: Treat as internet-adjacent: peer set is untrusted; apply Recommended items below before exposing RPC beyond loopback. (Signet is not yet a supported network in BLVM.)
- Mainnet: High assurance: assume global attackers on P2P and opportunistic scanning on RPC-shaped ports. Meet Required items for any non-loopback control plane.
Critical deployment concerns
Control plane (JSON-RPC, REST, QUIC RPC)
- Required (non-loopback):
[rpc_auth]withrequired = true. Use Bearer tokens (tokens,admin_tokens,token_file,RPC_AUTH_TOKENS) and/or HTTP Basic (username,passwordfor ckpool / Core-style clients). TLS client certificates remain supported when configured. See Configuration reference and RPC transport × authentication. - REST note:
/api/v1/*requires compile-timerest-apiand[rest_api].enabled = true(separate bind; off by default). Uses the sameRpcAuthManageras JSON-RPC when auth is configured. - Recommended: Bind RPC to loopback when using HTTP Basic: credentials are cleartext on the wire. Use a reverse proxy or firewall allowlists when exposing RPC beyond localhost; server-side rate limits do not replace edge policy.
- Recommended: Grant admin access only to operators and mining tooling (
getblocktemplate,submitblock,generatetoaddress, destructive control methods). Bearer tokens intokensalone are read-only unless also listed inadmin_tokens;[rpc_auth].passwordis registered as admin automatically when set. - Note (QUIC): JSON-RPC over QUIC uses HTTP/3 (ALPN
h3) and shares the sameRpcAuthManageras TCP HTTP (Bearer and Basic). Treat the UDP listener as its own exposure surface. See RPC transport × authentication.
Peer layer (P2P)
- Required (mainnet/testnet): Run maintained releases; keep
listen_addrbound intentionally (avoid accidental0.0.0.0without firewall intent). - Recommended: Monitor peer bans / DoS logs; cap LAN peer assumptions using documented LAN-peering rules (Threat models).
Data directory, backups, integrity
- Required: Protect the configured
data_dirwith host filesystem permissions (only the node OS user). - Recommended: Encrypted backups of wallet-adjacent artifacts elsewhere: the node is not a wallet, but keys or module secrets on the same host still warrant backup hygiene.
- Recommended: Snapshot
data_dironly when the node is stopped or via backend-specific backup guidance (Storage backends) to avoid torn pages.
Modules, WASM, IPC
- Required: Treat third-party modules as supply-chain code: verify signatures / maintainer policy before production enablement.
- Recommended: For
wasm-modules, set embedder budget keys documented inblvm-nodenode configuration guide; prefer process-isolated modules when in-process WASM is unnecessary.
Supply chain and patching
- Recommended: Run
cargo audit(or distributor SBOM process) on lockfiles you ship; reconcileblvm-nodeAUDIT_SUPPRESSIONSwhen upgradingiroh,quinn,hickory, ortime. - Recommended: Prefer
--lockedbuilds where your repo policy commits a lockfile (blvmumbrella does; library-style crates may not: see workspaceCargo.lockpolicy).
Secrets and logging
- Required: Never commit
RPC_AUTH_TOKENS,[rpc_auth].password, TLS keys, ortoken_filepaths into config repos; restrict log forwarding so Bearer tokens and Basic credentials are not captured in HTTP access logs. - Recommended: Rotate tokens after operational incidents.
Software maturity
- Required acknowledgment: BLVM remains pre-production for mainnet high assurance unless your organization has independently validated releases: see Threat models and security policy.
Before mainnet (first sync checklist)
Complete before running a mainnet node or exposing RPC beyond loopback:
- Release verification: Download from btcdecoded.org/install or GitHub Releases; verify
checksums.sha256(Installation). - Sync path: First Node Setup: Mainnet IBD (
start-ibd-mainnet.shor bundled example TOML), not bareblvm --network mainnet. - Data directory: Dedicated path (e.g.
~/.local/share/blvm-mainnet); restrict filesystem permissions to the node OS user. - IBD tuning: Review bundled
blvm-mainnet-ibd.toml.example; optionalBLVM_IBD_ENGINEper IBD UTXO engine. - Modules: Keep third-party modules disabled during first sync; verify maintainer policy before production enablement.
- Backups: Plan snapshot/backup policy; snapshot
data_dirwhen stopped or per Storage backends. - RPC exposure: Before binding RPC off loopback, complete the Minimum checklist (non-loopback RPC) below.
Then meet Required items under Supported contexts → Mainnet above.
Minimum checklist (non-loopback RPC)
- Set
rpc_auth.required = true(or equivalent env) unless RPC listens only on127.0.0.1/::1(loopback). - Provide Bearer tokens (
tokens,admin_tokens,token_file,RPC_AUTH_TOKENS) and/or HTTP Basic (username/password) or TLS client certificates as documented in Configuration reference. - Prefer
transport_preference = "tcponly"until QUIC RPC + strong auth is explicitly required: see RPC transport × authentication.
Relationship to other docs
- Threat models: Attack surfaces and boundaries (developer + operator framing).
- First node: Config-based setup; links here for production-facing posture.