While getting myself setup and acquainted with the Zcash Linux wallet I realized that at at some point I overwrote my Conf file so that all that was in it was a line for addnode. There was no rpcusername or rpcpassword. I know that while the Conf file was like this I generated wallet addresses and synced the blockchain. I hadn’t sent any funds to any of these addresses yet. Am I at risk for my future funds being stolen if I continue to use this wallet? Could the lack of having an rpcusername and password mean that the private keys of the addresses I created be at risk and collected by someone?
This is actually correct and the rpcusername
and rpcpassword
are not required. There is a discrepancy in the docs here Home · zcash/zcash Wiki · GitHub (which only includes the addnode
line) and here Download Zcash | Zcash where it specifies to add the rpcusername
and rpcpassword
. I’m guessing the latter just hasn’t been updated.
If rpcuser
and rpcpassword
are not set then it uses cookie based authentication like Bitcoin - you can see the Bitcoin issue here: https://github.com/bitcoin/bitcoin/pull/6388 which is referenced via the Zcash devs here: Replace `rpcuser/password` mechanism with 'cookie file' authentication. · Issue #1950 · zcash/zcash · GitHub.
So your keys are safe (assuming your machine is) as RPC by default only allows access from the same machine.