1

Hey I want to send a transaction that has a message embedded in it. I want the most secure way to unlock the personal account. I have full node GETH installed and am using web3.I have a nodejs script running in the server that has the GETH node. I need to send transaction through this script. This script will be called by the other server. What would be the most secure way to decrypt using the private keys? Is this a good way to unlock an account?

web3.personal.unlockAccount(addr,pass);

Or is the use of private key a better one?

tx.sign(privateKey1) const serializedTransaction = tx.serialize() const raw = '0x' + serializedTransaction.toString('hex')

I will be using to send the transaction in production server. So whats the best and most secure way to send the transaction?

Improve this question
5
  • The first method is not safe because anyone hacking your node server will be able to exploit your account at will. The second method safety depends on how you are storing the private key and how you are passing it to the backend server. Commented May 18, 2020 at 8:30
  • Hey @goodvibration. I dont think storing the private key in the GETH server is good. I have another server calling into my GETH server. I run a node script in GETH server to send the transaction. What would be the best way to save or send the private key? Commented May 18, 2020 at 8:42
  • Should I send this from some other server which consist of private keys? --->const raw = '0x' + serializedTransaction.toString('hex') Commented May 18, 2020 at 8:50
  • As the answer below suggests, you should let your client sign the transaction. You might need to add appropriate front-end code in your project. You can read a general scheme for that, which I have suggested in an answer here in the past. Commented May 18, 2020 at 8:50
  • There is no client code. Another JS script from another server will call my script. What would be the way to handle such communication? Commented May 18, 2020 at 9:04

1 Answer 1

Reset to default
1

The best method is to keep your private keys off the Go Ethereum (geth) server and sign transactions locally. Namely, there are a lot of stateless Ethereum node services like Infura and QuikNode that do not support accounts.

  1. Import your private key and create web3.eth.acccounts.Account object.

https://web3js.readthedocs.io/en/v1.2.7/web3-eth-accounts.html#privatekeytoaccount

  1. Then you can use account.signTransaction() to sign a transaction.
Improve this answer
9
  • Whats the safest way to import the private key? I am running a script in nodejs to send a transaction in the GETH server. Commented May 18, 2020 at 8:44
  • The private key has to be "hot" on the server to work, so if your server is compromised the private key is with it. I would suggest you use any best practice for secrets management in development and operations. It usually comes with your deployment tool, if you use one, like Ansible has its vault. Commented May 18, 2020 at 8:54
  • Will this hide the private keys from anyone who has access to the server? Commented May 18, 2020 at 9:09
  • No, you cannot hide private keys on the server, as they need to be loaded. However, they can hide the private keys in source code control or when the files are in the rest on turned off devices. Commented May 18, 2020 at 9:11
  • Hey @Mikko. Would it be better just to send the RawTransaction object from another server? Commented May 18, 2020 at 10:11

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.