dapps security private-key – How to secure a private key in a dapp?

dappsprivate-keySecurity

We are currently building an app that interacts with the blockchain. It needs to be able to make transactions on the blockchain on it's own – for instance to add addresses to a whitelist. This means that it needs to have access to a private key that lets it sign the transactions. What is the best practice to store that private key?

To clarify, I want to know how to secure the APP's private key – not the user's keys.

Best Answer

There is no general solution for this.

Possible approaches for the client-side are:

  • Users keep the private key stored in an encrypted keystore file. The "Login" into the DAPP would be: (1) upload locally, not to the server, the keystore file into the DAPP, (2) type in the password to unlock the keystore, (3) use the private key in DAPP. This is how https://www.myetherwallet.com works.

  • Users keep their private key stored in an app on the smartphone. Every time the DAPP wants to send a transaction, it presents a QR code, which is scanned by the smartphone app. The smartphone is signing and forwarding the transaction into the network. This is how uPort works.

  • Use a browser plugin to manage your keystores. The plugin injects the web3 context into the page code. When an application needs to send a transaction, this transaction is confirmed&signed via the plugin. This is how Metamask works.

  • Finally, you can use smartcards or hardware-wallets to sign the transactions, which is the safest method, however, it will require additional hardware.

Possible approaches for the automatisation on the server-side

  • use unencrypted private key stored in the filesystem
  • Store keystore in the filesystem, store the password in the filesystem. script the unlocking of the keystore. This is only slightly better than directly storing the unencrypted key.
  • use a smart card solution (I read that there is supported added to geth, but never testet this myself).
Related Topic