Currently to pass a mnemonic to algokey, you need to pass it as a command-line argument in plaintext. This is bad. If a keyfile is not passed, it should prompt for a mnemonic.
Hi @pdayton,
Welcome to Algorand!
Indeed, algokey is not meant to be used and should not be used as a secure wallet on your personal laptop.
I know of two purposes of algokey:
- easy testing in which case using the mnemonic as argument is actually much easier (especially if used in bash scripts).
- signing on completely airgapped computer. The process details would depend on your operational security.
Hi @fabrice, thanks for your response.
- Since
algokeyexists and is listed as a non-toy option in the developer docs, I think it still constitutes a security bug not to even allow non-plaintext mnemonics. To support convenient testing, it could also optionally allow passing the mnemonic as a plaintext command-line argument instead. - Ideally I do not need to run a daemon just to securely sign a transaction. I want to store a passcode encrypted locally (e.g. with pass) and be able to securely copy/paste it to sign transactions without it e.g. appearing in a shell history.
You can open an issue on GitHub - algorand/go-algorand: Algorand's official implementation in Go. for this proposal.
Note that you can also take care of your use case as follows:
algokey sign -m "$(pbpaste)" -t transaction.tx -o transaction.sig