Why do we need to enter the private key of our wallet in the .env?

Hello everyone

Im working on the implementation of the dhedge-v2-sdk with a trading bot strategy.

My question is the following. I found out, that we need to lay back the private key or seedphrase of our trading account on the server where the sdk lays in an .env file. This seems like a major security risk to me as

  • the key is laying on the server, and anyone with access to it can download it. I think of the personal of the provider.
  • software on the server is able to read the key from the .env file and do things with it, that i am not fully aware of. As i install software with npm / composer and i cant check every line of code in them.
  • security holes could occur in the softwares that are used.

I think its a total no-go to store any private key / seedphrase on a webserver. They only belong to a very save place and are entered to connect to your wallets in case you reinstall the computer / install the wallet software.

Whats your opinion on this, and how to handle this situation? Why is it necessary to store the key on the server anyhow? Is there a way around it or can we encrpyt it somehow? It seems not to speak for the integrity of the sdk or do i overlook something?


1 Like

Yeah I think depending on where you deploy it, it’s possible to increase the security on it. Eg. Google Cloud has a Secret Manager.

In the worst case that the key is compromised, if it’s a trader account, then the worst that can be done are bad trades on the account. At this point, the trader account can be disabled.