Skip to main content

Flow CLI security

The managing of accounts and private keys is intrinsically dangerous. We must take extra precautions to not expose private key data when using the CLI.

The Flow CLI provides several options to secure private account data.

⚠️ Warning: please be careful when using private keys in configuration files. Never commit private key data to source control. If private key data must be kept in text, we suggest using a separate file that is not checked into source control (e.g. excluded with .gitignore).

Private Account Configuration File

Storing an account key to a separate file which is not checked into source control (e.g. excluded with .gitignore) can be the first step towards better security.

Main configuration file


_11
...
_11
"accounts": {
_11
"my-testnet-account": {
_11
"address": "3ae53cb6e3f42a79",
_11
"key": {
_11
"type": "file",
_11
"location": "./my-testnet-account.key"
_11
}
_11
}
_11
}
_11
...

Separate account key file

⚠️ Put this file in .gitignore

The my-testnet-account.key file only contains the hex-encoded private key.


_10
334232967f52bd75234ae9037dd4694c1f00baad63a10c35172bf65fbb8ad1111


Private configuration file

⚠️ Put this file in .gitignore:


_10
// flow.testnet.json
_10
{
_10
"accounts": {
_10
"my-testnet-account": {
_10
"address": "3ae53cb6e3f42a79",
_10
"key": "334232967f52bd75234ae9037dd4694c1f00baad63a10c35172bf65fbb8ad1111"
_10
}
_10
}
_10
}

Store Configuration in Environment Variables

You can use environment variables for values that should be kept private (e.g. private keys, addresses).

See example below:


_10
PRIVATE_KEY=key flow project deploy


_11
// flow.json
_11
{
_11
...
_11
"accounts": {
_11
"my-testnet-account": {
_11
"address": "3ae53cb6e3f42a79",
_11
"key": "$PRIVATE_KEY"
_11
}
_11
}
_11
...
_11
}

Private Dotenv File

The CLI will load environment variables defined in the .env file in the active directory, if one exists. These variables can be substituted inside the flow.json, just like any other environment variable.

⚠️ You should never commit .env to source control, especially if it contains sensitive information like a private key.

Example .env file:


_10
PRIVATE_KEY=123

Composing Multiple Configuration Files

You can merge multiple configuration files like so:


_10
flow project deploy -f main.json -f private.json