Bitcoin RPC API on server

[catoshicatamoto]

Hi,
I have a developer programming for me some things and has full access to server and everything he needs in order to do his job.
He also has full access to Bitcoin node and RPC and everything (It is on same VPS with website)

And I have important questions

Can I deny him somehow to access/move/steal funds or hide private key or something?

With command dumpprivkey you can get private key to everything around all addresses and everything that your node is producing for your shop or something or only for that one address you put after dumpprivkey command?

Is it needed to run Bitcoin node and website that cooperates with it on same server/hosting/vps/dedicated server?

I am beginner with RPC API and he is pro developer, but I have to keep funds of my customers safe and don't let anybody have access or backup of it.

Any ideas?
Thank you very much

[n0nce]

Bitcoin Core should run under a user created specifically for it. You could give your web developer another unprivileged account on the machine, then they would not be able to access your funds.
However, in my experience if they need sudo at all and you need to give them access to a privileged account, you can't guarantee they don't touch the funds.

I wouldn't recommend running Core on the same machine as your other stuff though. You could have a separate machine for Bitcoin that the developer has no access to and one that they can access to develop your shop or whatever.

You can read more about the JSON RPC interface here.

Finally, you can oblige the developer by contract not to touch specific files and by logging their login times and accesses to Core, prove that they stole funds & sue them.

[darkv0rt3x]

I think you may have another solution. Which is to have an offline node somewhere else, where you have the PKs of your addresses, and you can add those addresses to the only node as watch only addresses, if needed.

Not sure this suits for you, though.

[n0nce]

I think you may have another solution. Which is to have an offline node somewhere else, where you have the PKs of your addresses, and you can add those addresses to the only node as watch only addresses, if needed.

Not sure this suits for you, though.

Then they can't sign transactions (pay) with that node though. If that's not needed, I'm wondering why they even bothered to set one up in the first place. If it's e.g. just for receiving payments in a web shop, you could indeed just have a hardware wallet and store the xpub on the server & display different addresses to customers every time, all derived simply from the xpub.

[darkv0rt3x]

I think you may have another solution. Which is to have an offline node somewhere else, where you have the PKs of your addresses, and you can add those addresses to the only node as watch only addresses, if needed.

Not sure this suits for you, though.

Then they can't sign transactions (pay) with that node though. If that's not needed, I'm wondering why they even bothered to set one up in the first place. If it's e.g. just for receiving payments in a web shop, you could indeed just have a hardware wallet and store the xpub on the server & display different addresses to customers every time, all derived simply from the xpub.

Yeah, he doesn't specify.
But the dev may need to work with a bitcoin node for writing scripts, interacting with the site, check wallet, display wallet addresses, etc. In that case, he doesn't need to have access to PKs, unless he needs to send bitcoin from the mentioned addresses, but in that case, well, he has to have access to the PKs.

[PrimeNumber7]

Bitcoin Core should run under a user created specifically for it. You could give your web developer another unprivileged account on the machine, then they would not be able to access your funds.

I wouldn't recommend running Core on the same machine as your other stuff though. You could have a separate machine for Bitcoin that the developer has no access to and one that they can access to develop your shop or whatever.

The OP did not specifically say, but I got the impression that whatever the dev is creating needs to have RPC access.

If the above is true, even if the OP is running a full node on a different server than the production server, the prod server will still need to interact with the RPC.

It is probably best to not allow the dev to work on a production server, or to interact with a production bitcoin node. The OP should give his dev access to a development server in which he can test his code to make sure everything works as intended. Someone working "honestly" could easily accidentally write code that results in something happening in a way that is not what was intended (this is quite common). Using a development server prevents this from affecting the OP's production full node, nor his production server. Once the code is complete, the OP can audit the code and push the code to the production server.

Anyone with access to a RPC server will need the passphrase in order to dump the private key or sign any transactions, so there is some level of protection from the stealing of coin.

Even if the dev does not have access to production servers, it is still possible that whatever he is developing will result in stolen funds from the OP. For example, a dev could make the backend act as if a deposit was received to the OP's wallet if a transaction to bc1DEVaddress....12 is received. This is why it is important to audit any code a dev creates for you.

[catoshicatamoto]

Thank you guys for answers