Algokey should not take mnemonic in plaintext

Currently to pass a mnemonic to algokey, you need to pass it as a command-line argument in plaintext. This is bad. If a keyfile is not passed, it should prompt for a mnemonic.

Hi @pdayton,

Welcome to Algorand!

Indeed, algokey is not meant to be used and should not be used as a secure wallet on your personal laptop.

I know of two purposes of algokey:

  • easy testing in which case using the mnemonic as argument is actually much easier (especially if used in bash scripts).
  • signing on completely airgapped computer. The process details would depend on your operational security.

Hi @fabrice, thanks for your response.

  • Since algokey exists and is listed as a non-toy option in the developer docs, I think it still constitutes a security bug not to even allow non-plaintext mnemonics. To support convenient testing, it could also optionally allow passing the mnemonic as a plaintext command-line argument instead.
  • Ideally I do not need to run a daemon just to securely sign a transaction. I want to store a passcode encrypted locally (e.g. with pass) and be able to securely copy/paste it to sign transactions without it e.g. appearing in a shell history.

You can open an issue on GitHub - algorand/go-algorand: Algorand's official implementation in Go. for this proposal.

Note that you can also take care of your use case as follows:

algokey sign -m "$(pbpaste)" -t transaction.tx -o transaction.sig