How to securely use CLI
The managing of accounts and private keys is intrinsically dangerous. We must take extra precautions to not expose private key data when using the CLI.
The Flow CLI provides several options to secure private account data.
⚠️ Warning: please be careful when using private keys in configuration files.
Never commit private key data to source control.
If private key data must be kept in text, we suggest using a separate file
that is not checked into source control (e.g. excluded with .gitignore).
1// flow.json2{3"contracts": {4"NonFungibleToken": "./cadence/contracts/NonFungibleToken.cdc",5"KittyItems": "./cadence/contracts/KittyItems.cdc"6},7"deployments": {8"testnet": {9"my-testnet-account": ["KittyItems", "NonFungibleToken"]10}11},12"accounts": {13"my-testnet-account": { "fromFile": "./flow.testnet.json" }14}15}
⚠️ Put this file in .gitignore:
1// flow.testnet.json2{3"accounts": {4"my-testnet-account": {5"address": "3ae53cb6e3f42a79",6"key": "334232967f52bd75234ae9037dd4694c1f00baad63a10c35172bf65fbb8ad1111"7}8}9}
You can use environment variables for values that should be kept private (e.g. private keys, addresses).
See example below:
1PRIVATE_KEY=key flow project deploy
1// flow.json2{3...4"accounts": {5"my-testnet-account": {6"address": "3ae53cb6e3f42a79",7"key": "$PRIVATE_KEY"8}9}10...11}
The CLI will load environment variables defined in the .env file in the active directory, if one exists.
These variables can be substituted inside the flow.json,
just like any other environment variable.
⚠️ You should never commit .env to source control,
especially if it contains sensitive information
like a private key.
Example .env file:
1PRIVATE_KEY=123
You can merge multiple configuration files like so:
1flow project deploy -f main.json -f private.json