Best way to handle private key management in ethers.js (production solution)

[fabioeletto]

Hello,
I was wondering which is the common way to manage private keys in ethers.js?

[zemse]

Can you provide more details on your use case and production environment?

• For frontends, it is not really a safe way, since browser extensions get access to the DOM and execute JS. So the user has to be careful to not install creepy plugins.
• For backends, if just one person is going to access a server/system, with limited amount of funds, then a .env file should be pretty fine. A very safe way would be to have the private key in hardware, e.g. using AWS KMS.

[fabioeletto]

Thanks for the quick answer.
So we are using a server to interact with the contract. So there is no need that the client interact directly with the contract. I was asking this question because I read the docs and there are different ways to create a wallet instance. For example you could just use your private key as parameter or you use a encrypted json file or a mnemonic phrase. But I don't get the advantages of using a encrypted json file or a mnemonic phrase because I have still to manage the password or the phrase. So if I store the private key or the password in a .env the security issue stays the same because if someone gets access to my server he still can get my password and decrypt the json file.

[zemse]

if someone gets access to my server he still can get my password and decrypt the json file.

Exactly, storing private key in .env is quite equivalent to having a keystore + password in the same server. For single person working on the server it is fine or group of very trusted people. But when you have a scenario in which people are joining the company leaving the company and such people are getting access to the server, it makes sense to not have it over there and instead use some hardware module on the server which doesn't give access to the private key. Otherwise you may setup some CI so that access server is not given to people joining and leaving, if PR on github is merged then it is automatically pulled on the server.

[jacobbogers]

@Fabio-GitHub25
This is a question that is asked alot and the cryptocommunity has come up with strategies to solve this problem

• BIP-32 - the hierarchal deterministic description
• BIP-39 - the method used to derive the BIP-32 seed from human-readable sequences of words (i.e. a mnemonic)
• BIP-44 - a standard defined to make BIP-32 easy to adapt to any future compatible blockchain

Ethers.js library implements all of them
https://docs.ethers.org/v5/api/utils/hdnode/

[ricmoo]

They are also available in v6. :)