tgerboui / nona-lib

TypeScript library to simplify interactions with the Nano currency node.
MIT License
6 stars 1 forks source link

Securing private keys #9

Open tgerboui opened 7 months ago

tgerboui commented 7 months ago

Currently, the wallet's private key is stored in a private property of the wallet class.

However, this can present a number of security risks, including:

Accidental exposure: Private keys can be accidentally exposed through logs, errors or by being returned in API responses if not handled carefully. Unauthorised access: If an application is compromised, an attacker can potentially gain access to this private key.

A solution to this problem could be to encrypt the key in memory.

When a new Wallet object is created, the private key is encrypted in memory using a run-specific random data encryption key. Each time the private key is used, it is only decrypted for the duration of the use, limiting the exposure of the key.

This method isn't perfect because an attacker could find the data encryption key in memory and decrypt it anyway, but it does add a layer of security.

I'm open to other solutions.