While getting myself setup and acquainted with the Zcash Linux wallet I realized that at at some point I overwrote my Conf file so that all that was in it was a line for addnode. There was no rpcusername or rpcpassword. I know that while the Conf file was like this I generated wallet addresses and synced the blockchain. I hadn’t sent any funds to any of these addresses yet. Am I at risk for my future funds being stolen if I continue to use this wallet? Could the lack of having an rpcusername and password mean that the private keys of the addresses I created be at risk and collected by someone?
This is actually correct and the
rpcpassword are not required. There is a discrepancy in the docs here https://github.com/zcash/zcash/wiki/1.0-User-Guide (which only includes the
addnode line) and here https://z.cash/download.html where it specifies to add the
rpcpassword. I’m guessing the latter just hasn’t been updated.
rpcpassword are not set then it uses cookie based authentication like Bitcoin - you can see the Bitcoin issue here: https://github.com/bitcoin/bitcoin/pull/6388 which is referenced via the Zcash devs here: https://github.com/zcash/zcash/issues/1950.
So your keys are safe (assuming your machine is) as RPC by default only allows access from the same machine.