Flow CLI security

How to securely use CLI

The managing of accounts and private keys is intrinsically dangerous. We must take extra precautions to not expose private key data when using the CLI.

The Flow CLI provides several options to secure private account data.

⚠️ Warning: please be careful when using private keys in configuration files. Never commit private key data to source control. If private key data must be kept in text, we suggest using a separate file that is not checked into source control (e.g. excluded with .gitignore).

Private Account Configuration File

Main configuration file

1
// flow.json
2
{
3
"contracts": {
4
"NonFungibleToken": "./cadence/contracts/NonFungibleToken.cdc",
5
"KittyItems": "./cadence/contracts/KittyItems.cdc"
6
},
7
"deployments": {
8
"testnet": {
9
"my-testnet-account": ["KittyItems", "NonFungibleToken"]
10
}
11
},
12
"accounts": {
13
"my-testnet-account": { "fromFile": "./flow.testnet.json" }
14
}
15
}

Private configuration file

⚠️ Put this file in .gitignore:

1
// flow.testnet.json
2
{
3
"accounts": {
4
"my-testnet-account": {
5
"address": "3ae53cb6e3f42a79",
6
"key": "334232967f52bd75234ae9037dd4694c1f00baad63a10c35172bf65fbb8ad1111"
7
}
8
}
9
}

Store Configuration in Environment Variables

You can use environment variables for values that should be kept private (e.g. private keys, addresses).

See example below:

1
PRIVATE_KEY=key flow project deploy
1
// flow.json
2
{
3
...
4
"accounts": {
5
"my-testnet-account": {
6
"address": "3ae53cb6e3f42a79",
7
"key": "$PRIVATE_KEY"
8
}
9
}
10
...
11
}

Private Dotenv File

The CLI will load environment variables defined in the .env file in the active directory, if one exists. These variables can be substituted inside the flow.json, just like any other environment variable.

⚠️ You should never commit .env to source control, especially if it contains sensitive information like a private key.

Example .env file:

1
PRIVATE_KEY=123

Composing Multiple Configuration Files

You can merge multiple configuration files like so:

1
flow project deploy -f main.json -f private.json