Introduction

In my 2-something years of being a web3 dev, I've seen quite a lot of my frens and oomfs on Twitter lose all their funds because of one silly mistake: pushing their private keys to GitHub. It may sound like a very obvious and easy-to-avoid mistake but its more common than one may think. In this guide, we'll cover the most correct method of using your private key in Foundry. This method optimally balances convenience and safety. Let's get started!

Development Account

It is considered best practice to create a separate account in your wallet for development purposes and not add any Mainnet tokens to it. Wallets like MetaMask and Rainbow allow you to give names to your accounts, so make sure to give it a name like dev as it will help you to easily identify which account you're on. If you have to deploy a contract to Mainnet, add just enough funds to ensure your transaction goes through. This separation of accounts will prevent you from getting rugged even if your private key somehow gets leaked.

account with testnet funds

Keystores in Foundry

Cast will allow you to import your private key into an encrypted keystore. The command for doing this is:

cast wallet import account_name --interactive

It will then ask you to enter your private key. Once you do that, it will ask you to enter a password for that key. Whenever you want to use that key, you'll have to enter your password for authorization, so make sure you remember it. Once you've entered a password, it will be used to encrypt your private key and a keystore will be created. By default, its location will be ~/.foundry/keystores.

This method ensures that your private key is not stored in plaintext anywhere and can only be decrypted by someone who has its password. You can import more accounts in a similar fashion and for each one, you'll be asked to enter a corresponding password.

You can also import wallets by using their mnemonic phrases like so:

cast wallet import arbitrary_name --mnemonic "test test test test test test test test test test test test"

Using private keys

When you're deploying a contract, you will have to use your private key. For getting the list of available keystores, run this command in your terminal

cast wallet list

This will show you a list of imported keystores

We still haven't covered how to deploy contracts using Foundry, but for now, just know that for using the private keys you imported into keystores, the process is as simple as adding the account name to the command and then entering your password. Here's what one of the methods of deployment looks like:

forge create ContractName --rpc-url rpc_url --account account_name

Once you run this command, you will be prompted to enter the password that corresponds to account_name. If the password is correct, your private key gets decrypted and is used to deploy the contract via the RPC URL specified. Don't worry too much if you don't understand this command as well cover it in the next guide.

The Pledge and a word of caution

In May 2022, Patrick Collins created the .env pledge, by taking which you promise to never use .env files for storing private keys of accounts that have mainnet funds in them. This pledge has evolved over time as now you don't even need env files for deploying contracts, like we just did. You can go ahead and read the pledge here. Make sure to read it to the end and comment I WILL BE SAFE if you agree to take this pledge.

A leaked .env file is not the only reason why developers wallets get hacked. If someone on Twitter or anywhere else asks you to download their software for testing and debugging, consider it an immediate red flag and run as fast as you can. Any shady software that you install has the potential to be a tool for stealing your private keys, because in the end, even MetaMask stores your keys offline and encrypts them with your password. If this password somehow gets stolen by the shady software in question, it can use it to decrypt your keys and steal your funds.

The bottom line is, you have to be safe at every step of the way in your web3 dev journey.

Conclusion

Congratulations! You now know how to safely import your private key into a keystore and use it to deploy contracts. There is more than one way of deploying contracts using Foundry. In the next guide well dive deeper into this process and learn how to deploy smart contracts locally and on-chain. See you then 🫡🫡