Currently, I’m developing the Solana Dex Telegram mini application. I’m stuck with connecting a wallet. The fact is that Telegram blocks third-party libraries for connecting a wallet such as “Connect wallet”, “solana/web.js”, etc. Competitors, for example AlphaDex, implement the connection through importing a private key. Now the question is how to store private keys on backend? Any best practices?
Question posted in Telegram API
A comprehensive official documentation can be found here.
2
Answers
This is a disaster in making. Study EtherDelta.
You don’t save private keys anywhere. It is the first rule of developing public blockchains. That’s why there is the whole concept of wallet – decentralised application separation.
You really need to make it possible to connect a third party wallet to a Telegram app. For example, for Ethereum you can use WalletConnect protocol regardless of medium (desktop app, mobile app, etc.). Though I am not sure what’s the status of its Solana adapter currently.
this is how metamask stores private keys in your device:
it first encrypts, creates a secret key and store this secret key in your device but in a scrambled form so that no one, not even someone who can look inside your computer, can read it without knowing your password.
when you enter your correct password, MetaMask uses the same secret code to unlock the private key so you can use it to sign transactions.
Once unlocked, MetaMask holds the private key in memory while you’re using it, but it’s still not saved anywhere in plain form. It will stay accessible until you lock MetaMask or close the browser.
you can use the similar encryption tecnique, encrypt the private key and decrypt it on the server. now you have to find a way to store the secret key in a secure way. for this, u can use AWS Secrets Manager
before requesting the secret key on the server, you can also implement role based access control to allow only certain people to reach AWS and make request to get the secret key.