Managing Environment Variables and Secrets in Web3 Projects

“We can’t ship because our secrets are everywhere”

• Private keys for deployers, relayers, and AA paymasters often get tucked away in plaintext .env files or in self-hosted vaults that have pretty weak RBAC.
• Front-end frameworks can be sneaky, inline environment variables during build time, which means credentials can end up in the browser or CDN by accident.
• CI systems tend to store long-lived cloud tokens, and when it’s time to rotate them, it can lead to deployment disasters just before milestone sign-offs.
• ZK proving keys and .zkey/.ptau artifacts are massive--often over 100MB. Teams sometimes cram them into GitHub “secrets” or leave them in commit history, which throws reproducibility and provenance into question.
• As for SOC 2 compliance? There's none in sight: no evidence of least privilege, no logs for rotations, no trails of approvers, and definitely no secret scanning or push protection.

The Risk and Cost Curve is No Joke

• Just one compromised relayer or bundler key can mess up user operations and end up burning through your “gas budgets.” And when that happens, don’t expect quick fixes; incident response tends to get bogged down in procurement and legal reviews.
• If you're dealing with SOC 2 (specifically CC6, CC7, CC8), you need to have solid access control, monitoring, and change management in place. Without cloud-native controls and the right evidence, you'll flunk readiness and have to go through the audit cycle all over again. You can read more about it here.
• When using Next.js or similar frameworks, keep in mind that inline variables should be prefixed for the client. If you accidentally use the wrong prefix or mess up the Docker build order, you might end up baking secrets right into your bundles. And don’t forget, any need for rebuilds can mess with your cache and slow down your releases. More details can be found here.
• ZK toolchains have had real vulnerabilities (like the snarkjs versions below 0.7.0 that had input validation issues) and aliasing problems. If you’re working with outdated artifacts, you could compromise L2 and bridge security reviews. Check out the specifics here.
• Vault “Transit” doesn’t natively support secp256k1, which can be a real headache. Teams end up creating makeshift plugins that often cause delays in stabilizing crypto primitives. You can find more information here.

7Block’s “Least-Privilege by Design” Blueprint

We’ve crafted a streamlined, cloud-native secrets architecture that’s easy for your teams to manage. Check out the precise blueprint we roll out, complete with practical trade-offs and notes on ROI.

1. Store your production signing keys in your cloud KMS instead of .env files

• When it comes to EVM signing, here’s what you should use:
  • For AWS, go with KMS using ECC_SECG_P256K1. This way, you can handle EIP‑1559 signing using ECDSA_SHA_256. The cool part? Your keys stay safe in the HSM, and you can generate checksummed addresses straight from the public key. Check out the details here.
  • If you’re using Azure, their Key Vault has your back with ES256K on P‑256K, including HSM options. You can read more about it here.
  • Google Cloud KMS is another solid choice that supports secp256k1 with HSM protection. Plus, you can submit Keccak digests using the SHA256 slot, which matches the required digest length. Just a heads-up: signatures are nondeterministic (not RFC6979 compliant). Dive into the details here.
• Here are some implementation patterns to consider:
  • For CI, utilize OIDC to grab short-lived credentials and then call KMS Sign. This means you won’t have any static AWS/GCP/Azure keys floating around in GitHub. You can find more info about this here.
  • If you’re using HashiCorp Vault and need to sign secp256k1, stick to a maintained plugin (like Kaleido or Brahma) instead of going down the custom code route. You can check it out here.

2) Use OIDC in GitHub Actions; stop storing cloud secrets in CI

• First things first, get GitHub’s OIDC provider up and running. You’ll want to scope your AWS IAM trust to your specific org/repo/branch by using the token.actions.githubusercontent.com:sub condition. This way, you can say goodbye to those pesky long-lived cloud secrets in Actions. Check out the details in the official docs for all the nitty-gritty.
• Here’s a quick example (AWS) to show how this works, complete with environment protections and KMS integration:

name: deploy
on:
  push:
    branches: [ main ]
permissions:
  id-token: write
  contents: read
jobs:
  deploy:
    environment: production
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
      - name: Configure AWS creds via OIDC
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/gha-deploy
          aws-region: us-east-1
      - name: Fetch secret at runtime
        run: |
          SECRET=$(aws secretsmanager get-secret-value --secret-id app/config --query SecretString --output text)
          echo "::add-mask::$SECRET"
          echo "$SECRET" > config.json
      - name: KMS sign dry-run
        run: |
          aws kms sign --key-id $KMS_KEY --message-type DIGEST \
            --signing-algorithm ECDSA_SHA_256 --message $(./scripts/tx-hash)

• Protect your deployments using GitHub Environments, which lets you add required reviewers and set up time gates. This not only ensures you have clear approvals for SOC 2 but also provides solid evidence for clean change management. Check it out in the official docs: (docs.github.com)

3) Secrets at Runtime, Not Build Time -- Front-End Discipline

• So, here’s the deal with Next.js: it inlines any variable that starts with NEXT_PUBLIC_* during the build process. This means you should only bake in non-sensitive configuration stuff, like feature flags. For anything sensitive, make sure you’re reading those values on the server at runtime--think API routes or edge functions. If you're using Docker or Kubernetes, pass those public variables as build arguments, and handle server-only secrets via runtime environment variables or secret mounts. You can get more details here.
• One common pitfall we often help teams avoid: they set NEXT_PUBLIC_* variables at container runtime, hoping it’ll update the bundle. Spoiler alert: it won’t! Those variables are compiled in when you build. You can find more info on this here.

4) Kubernetes: Externalize and Rotate

• Check out the External Secrets Operator (ESO) for syncing your secrets from AWS Secrets Manager, Parameter Store, GCP Secret Manager, or Azure Key Vault right into Kubernetes Secrets. It handles RBAC and rotation beautifully. Plus, it’s now generally available (GA) and gaining a lot of traction. (github.com)
• If you’re using EKS, the AWS Secrets Store CSI Driver add-on is a game changer. It lets you mount secrets as files, and the rotation reconciler takes care of updating Pods without any hassle. (docs.aws.amazon.com)
• We stick to best practices like enforcing envelope encryption, using namespace-scoped SecretStores, and ensuring no cross-namespace reads happen. (external-secrets.io)

5) ZK artifacts: provenance, not Git LFS

• When it comes to .zkey and .ptau files, think of them as controlled artifacts:
  • Store these in versioned object storage; don’t forget to publish SHA‑256 manifests and circuit metadata. You can share them via pre-signed URLs that have a short time-to-live (TTL).
  • For Groth16/PLONK/FFLONK, make sure you're using snarkjs version 0.7.0 or higher, and always verify the PTAU/zkey before going live. Check out the snarkjs documentation for more details!
  • Keep a clear record of your trusted setups (Powers of Tau) and verification steps in your CI. And hey, never accept unsigned keys! You can find more info on this in the deepwiki.
• For Halo2 stacks, be sure to pin your crate versions. Control parallelism using RAYON_NUM_THREADS to maintain reproducibility. More info is available on GitHub!

6) Developer Ergonomics without Plaintext .env

• Consider using SOPS + age for managing encrypted config in Git. You can easily decrypt it with workload identity (like KMS, Key Vault, or GCP KMS) during CI and when deploying. This way, you avoid shared passwords and PGP key drift. Check it out here: (github.com).
• If you’re working with Hardhat 3, it's better to go for Configuration Variables along with hardhat-keystore instead of relying on ad-hoc dotenv setups. With encrypted keystore values, you can tailor them for each developer and override them using HARDHAT_VAR_* in CI. Find more info here: (hardhat.org).
• When using Foundry, make the smart choice of utilizing keystore wallets (just use cast wallet import) and environment variables for ETHERSCAN_API_KEY and RPC URLs. This way, you keep your secrets out of your scripts. For the details, check it out: (docs.base.org).

7) Relayers and AA (EIP-4337) without key leaks

• When you use OpenZeppelin Defender Relayers, they keep EOAs safe inside AWS KMS. Instead of relying on private keys, your app just needs an API key and secret. Plus, we’ve set throughput limits and balance the load across different chains to keep things running smoothly. Check out the details here!
• For Bundlers and Paymasters, we recommend storing provider API keys as runtime secrets instead of embedding them in your build arguments. The Alchemy Bundler offers standard ERC-4337 endpoints, while the Biconomy Paymaster works with a single URL and a MODE flag. Both of these expect you to pull those API keys at runtime, which is a smarter way to handle things. Learn more about it here.
• The outcome? You get improved gas policy enforcement and handy “Gas optimization” options, all without putting your keys at risk in client code or repository history.

CI/CD Hardening and Guardrails

• Start by enabling GitHub Secret Protection and push protection. You can also add custom patterns for your internal tokens and make sure to mask any runtime-generated credentials in logs using add-mask. Check out the details here.
• Be careful not to print tokens from CLIs in your logs, especially when using cloud SDKs. According to Microsoft’s guidance, you should treat CLI outputs as sensitive information; it's always a good idea to mask or redirect them. You can read more about it here.
• When it comes to dealing with really large "secrets" like certificates or artifacts, try storing encrypted blobs instead. Only pass around short decrypt keys using Actions secrets, and avoid cramming massive base64 strings into your repo secrets. For more details, check this out: GitHub Docs.

Practical Recipes

Here are some super easy recipes that you can just copy and paste into your notes. They’re perfect for quick meals or snacks!

1. Classic Spaghetti Aglio e Olio

Ingredients:

• 400g spaghetti
• 6 garlic cloves, thinly sliced
• 1/2 cup extra virgin olive oil
• 1 tsp red pepper flakes (adjust to taste)
• Salt, to taste
• Fresh parsley, chopped (for garnish)
• Grated Parmesan cheese (optional)

Instructions:

1. Cook the spaghetti in a large pot of boiling salted water until al dente. Reserve 1 cup of pasta water, then drain.
2. In a large skillet, heat olive oil over medium heat. Add the sliced garlic and red pepper flakes. Cook until the garlic is golden and fragrant (be careful not to burn it).
3. Toss the cooked spaghetti into the skillet. Add reserved pasta water a little at a time if needed to help combine everything.
4. Season with salt, and toss to coat all the spaghetti in that delicious garlic oil.
5. Serve hot, garnished with fresh parsley and a sprinkle of Parmesan cheese if you like!

2. Easy Chicken Stir-Fry

Ingredients:

• 500g boneless chicken breast, sliced
• 2 cups mixed bell peppers, sliced
• 1 cup broccoli florets
• 3 tbsp soy sauce
• 1 tbsp sesame oil
• 2 garlic cloves, minced
• 1/2 tsp ginger, grated
• Cooked rice or noodles, for serving

Instructions:

1. Heat sesame oil in a pan over medium-high heat. Add garlic and ginger, sauté for about 30 seconds.
2. Toss in the sliced chicken and cook until browned and cooked through.
3. Add the bell peppers and broccoli to the pan. Stir-fry everything for about 5-7 minutes until the veggies are tender-crisp.
4. Pour in the soy sauce and mix well to coat all the ingredients.
5. Serve over rice or noodles for a complete meal!

3. No-Bake Chocolate Oatmeal Cookies

Ingredients:

• 1/2 cup unsweetened cocoa powder
• 1/2 cup peanut butter
• 1/2 cup honey or maple syrup
• 3 cups rolled oats
• 1 tsp vanilla extract
• A pinch of salt

Instructions:

1. In a large bowl, combine cocoa powder, peanut butter, honey (or maple syrup), vanilla extract, and salt. Mix until well combined.
2. Stir in the rolled oats until everything is evenly coated.
3. Drop spoonfuls of the mixture onto a lined baking sheet.
4. Let them sit at room temperature for about 30 minutes to firm up. Enjoy your sweet treats!

4. Quick Vegetable Soup

Ingredients:

• 1 onion, chopped
• 2 carrots, sliced
• 2 celery stalks, chopped
• 3 garlic cloves, minced
• 4 cups vegetable broth
• 1 can diced tomatoes
• 1 cup green beans, chopped
• 1 tsp dried thyme
• Salt and pepper, to taste

Instructions:

1. In a large pot, sauté the onion, carrots, and celery over medium heat until they start to soften.
2. Add the garlic and cook for another minute.
3. Pour in the vegetable broth and diced tomatoes, then stir in the green beans and thyme.
4. Bring to a boil, then reduce heat and let it simmer for about 20-25 minutes.
5. Season with salt and pepper to taste. Serve warm and enjoy!

These recipes are straightforward and should fit right into your weeknight dinner plans or even weekend gatherings. Happy cooking!

A) Get an On-Chain Address from KMS (AWS)

To grab an on-chain address using AWS Key Management Service (KMS), follow these simple steps:

1. Set Up Your AWS Account: If you haven’t already, make sure you have your AWS account ready and KMS set up.
2. Create a New Key:
   • Go to the KMS console.
   • Click on "Create key".
   • Choose the type of key you need (Symmetric or Asymmetric).
   • Follow the prompts to finish creating your key.
3. Generate the Address:
   • Use the AWS CLI or SDK to call the relevant KMS service to create your address. For example:

   aws kms create-key --description "My on-chain address key"

4. Get the Address:
   • After the key is generated, you'll have access to it. Use it in your wallet or app to create your on-chain address.
5. Store Your Key Securely: Don’t forget to back up and secure your key. You wouldn’t want to lose access to your on-chain address!

And that’s it! Now you have your very own on-chain address courtesy of AWS KMS.

# One-time: create ECC_SECG_P256K1 signing key in AWS KMS
aws kms create-key --key-spec ECC_SECG_P256K1 --key-usage SIGN_VERIFY \
  --description "Prod EVM Deployer"

# Derive address from public key (Python snippet shown in Alchemy docs)
# Or use Foundry:
AWS_REGION=us-east-1 AWS_KMS_KEY_ID=<key-id> cast wallet address --aws

This takes advantage of KMS's secp256k1 support while keeping the private key totally under wraps. Check out the details here!

B) Next.js Safe Environment Discipline

When working with Next.js, it's super important to manage your environment variables carefully to keep your app secure. Here's how to make sure you're following best practices:

What Are Environment Variables?

Environment variables are basically key-value pairs that help you configure your application without hardcoding sensitive information like API keys, database URLs, or other private data right into your code.

Why Do They Matter?

Using environment variables helps protect your app from leaking sensitive info. If you accidentally push your code to a public repository and your keys are hardcoded, you've just opened the door for someone to misuse those credentials. Yikes!

Best Practices for Safe Environment Variables

1. Use .env.local Files: Keep your sensitive variables in a .env.local file, which is ignored by git. This way, your secrets stay safe and out of version control.

   DATABASE_URL=mongodb://user:password@localhost:27017/mydb
   NEXT_PUBLIC_API_KEY=your_public_api_key

2. Prefix Public Variables: For any variables you want to expose to the browser (like your public API keys), make sure they start with NEXT_PUBLIC_. Everything else should remain private.
3. Keep Secrets Out of Git: Always add your .env files to .gitignore. This extra step helps ensure that none of your secrets slip into your public repositories.
4. Use Environment-Specific Variables: If you have different setups for development, testing, and production, consider using different .env files like .env.development or .env.production to keep things organized.
5. Validate Your Variables: Use tools like dotenv-safe or custom validation scripts to ensure all necessary environment variables are set and correctly configured.

Conclusion

Keeping your environment variables safe is a crucial part of developing with Next.js. By following these best practices, you can help secure your application and make your code cleaner and more maintainable. Always remember: security isn't just a feature; it's part of your development discipline!

# build stage
ARG NEXT_PUBLIC_APP_ENV
ENV NEXT_PUBLIC_APP_ENV=${NEXT_PUBLIC_APP_ENV}
RUN npm run build

# run stage (server-only secrets)
ENV DATABASE_URL=postgres://...
# Provided via K8s secret mount or container runtime, not baked at build

NEXT_PUBLIC_* variables get baked into the client bundle when you build your app, while server-only variables are accessed at runtime. Check out more details on this over at nextjs.org.

C) External Secrets Operator for EKS + AWS Secrets Manager

If you’re looking to manage secrets in your EKS cluster using AWS Secrets Manager, the External Secrets Operator is a great tool to consider. It helps you pull secrets from AWS seamlessly and inject them into your Kubernetes environment.

What You Need

Before you dive in, make sure you have the following set up:

• An EKS cluster up and running
• AWS CLI installed and configured
• kubectl set up to manage your EKS cluster
• Helm (for easy deployment)

Installing External Secrets Operator

1. First, you need to add the External Secrets Operator Helm chart repository:

   helm repo add external-secrets https://charts.external-secrets.io
   helm repo update

2. Now, install the operator:

   helm install external-secrets external-secrets/external-secrets

3. To verify the installation, check the status:

   kubectl get pods -n default

Configuring AWS Secrets Manager

Next, you'll want to create a secret in AWS Secrets Manager:

1. Go to the AWS Secrets Manager console.
2. Click "Store a new secret."
3. Input your key-value pairs (like API keys) and name your secret.
4. Save your secret, and note down the ARN (Amazon Resource Name) for later.

Creating an External Secret

Now, you need to create an ExternalSecret resource in your Kubernetes cluster:

1. Create a secret.yaml file with the following structure:

   apiVersion: external-secrets.io/v1alpha1
   kind: ExternalSecret
   metadata:
     name: my-secret
   spec:
     backendType: secretsManager
     data:
       - key: <YOUR_SECRET_ARN>
         name: my-api-key
         property: key

   Be sure to replace with the actual ARN of your secret.

2. Apply the YAML file:

   kubectl apply -f secret.yaml

Accessing the Secrets

To access the secrets in your pods, you can now reference them in your deployments:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
        - name: my-app
          image: my-app-image
          env:
            - name: MY_API_KEY
              valueFrom:
                secretKeyRef:
                  name: my-secret
                  key: my-api-key

Conclusion

With the External Secrets Operator, you can efficiently manage your secrets from AWS Secrets Manager directly in your EKS cluster. It simplifies the process, keeps your secrets secure, and ensures that your applications have what they need without hardcoding sensitive information.

For more details, check out the External Secrets Operator docs and the AWS Secrets Manager documentation.

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata: { name: aws-sm }
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-east-1
      auth:
        jwt:
          serviceAccountRef:
            name: eso-sa
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata: { name: app-config }
spec:
  refreshInterval: 1h
  secretStoreRef: { name: aws-sm, kind: SecretStore }
  target: { name: app-config, creationPolicy: Owner }
  data:
    - secretKey: alchemyApiKey
      remoteRef: { key: prod/alchemy, property: key }

ESO syncs secrets and keeps Pods updated on rotation. If you're using EKS, you can also mount secrets through the AWS Secrets Store CSI add-on. Check it out here!

D) ZK Artifact Verification (snarkjs)

When it comes to ZK artifact verification using snarkjs, you’ll want to follow a few straightforward steps. Here’s a quick rundown on how to get everything set up and running smoothly!

Step 1: Install snarkjs

First off, make sure you have snarkjs installed. If you haven't done this yet, you can install it via npm:

npm install -g snarkjs

Step 2: Verify the ZK Artifact

Once you have snarkjs ready to go, you can start the verification process. Here’s how to do it:

snarkjs groth16 verify <path_to_verification_key.json> <path_to_proof.json> <path_to_public_inputs.json>

Just replace , , and with the actual paths to your files.

Step 3: Understanding the Output

After you run the verification command, you should see an output that tells you whether the proof is valid or not. It’ll look something like this:

either the proof is valid or invalid

Pretty straightforward, right?

Additional Notes

• Make sure that the paths you're using are correct, or else you might run into some pesky errors.
• If you're curious and want to dive deeper into the nitty-gritty of snarkjs, check out the official documentation.

And there you have it! Those are the basics of ZK artifact verification with snarkjs. Happy verifying!

# Verify Powers of Tau and zkey before deploy:
snarkjs powersoftau verify pot14_final.ptau
snarkjs zkey verify circuit.r1cs pot14_final.ptau circuit_final.zkey
# Extract vk for on-chain comparison
snarkjs zkey export verificationkey circuit_final.zkey vk.json

Make sure to use snarkjs version 0.7.0 or higher to steer clear of any CVE‑2023‑33252-related problems. You can check it out here.

What You Get with 7Block Labs (Methodology and Metrics)

When you partner with 7Block Labs, you're tapping into a solid methodology and some pretty impressive metrics. Here’s what you can expect:

Tailored Methodology

1. Deep-Dive Analysis
   We start with a thorough analysis of your unique situation, diving into your current processes and systems. This helps us figure out where you shine and where there's room for improvement.
2. Collaborative Approach
   We believe in teamwork! Our methodology encourages collaboration, so you’ll be involved every step of the way. We’ll brainstorm together to ensure the solutions we come up with truly fit your needs.
3. Iterative Improvements
   Instead of a one-and-done deal, we aim for continuous improvement. Our process is all about testing, learning, and refining to keep getting better.
4. Feedback Loops
   Your feedback is essential. We set up regular check-ins to discuss progress, address concerns, and refine our approach as needed.

Solid Metrics

1. Key Performance Indicators (KPIs)
   We track specific KPIs that matter most to your success. This way, we can measure progress and make data-driven decisions.
2. Benchmarking
   We compare your performance against industry standards and best practices. This helps us set realistic goals and stay on track.
3. Reporting
   You’ll receive clear and transparent reports that break down our findings and progress in a way that makes sense. No more jargon--just straightforward insights.
4. Real-Time Dashboards
   Get instant access to our interactive dashboards, showing live data on your project's progress. It's like having your finger on the pulse at all times!

In a Nutshell

At 7Block Labs, our methodology isn’t just a set process--it’s a partnership that evolves with you. Plus, our metrics give you a clear picture of how things are going, ensuring accountability and improvement. Ready to take your projects to the next level? Let’s do this together!

• Architecture & Implementation
  • We make sure every secret has a solid source of truth, whether that’s KMS for signing and verifying, Secrets Manager or Key Vault for app/runtime secrets, or ESO for K8s. We’ve also cleaned up our repositories by removing .env files and ditched long-lived CI credentials by switching to OIDC.
  • We enhance environment protections in GitHub with approval processes, connect our logs to SIEM for better monitoring, and gather SOC 2 evidence, including access policies, rotation logs, and approval trails. You can dive deeper into this here.
  • We’re refactoring our Next.js and Vite builds by using public configuration as build arguments, keeping server secrets confined to runtime, and running secret scans to ensure that our production bundles are free of any sensitive strings. More info can be found here.
  • When it comes to ZK stacks, we’re creating a provenance pipeline: think deterministic circuits, a pinned toolchain, artifact hashing, and ensuring we can verify everything reproducibly. Check out the details here.
• Here are the tools we're standardizing on:
  • We're going with Cloud KMS for managing EVM keys, whether you're on AWS, Azure, or GCP. You can use libraries or managed relayers, plus we have Hardhat 3 configuration variables and a keystore setup. For explorers, we’re using the Foundry keystore along with environment variables. You can check out more here.
  • When it comes to Kubernetes, we're all about the External Secrets Operator and Secrets Store CSI. These tools make it easier to manage secrets seamlessly. If you want to dive deeper, you can find the details here.
  • Lastly, we’re leveraging GitHub OIDC across different cloud platforms. This setup includes custom secret-scanning patterns and push protection to keep everything secure. For the nitty-gritty, check out the guide here.
• GTM/business outcomes we’ve tracked over the last year (blended across different projects):
  • We’ve cut down stored CI secrets by an impressive 90% by shifting to OIDC/KMS, and guess what? There haven't been any P0 secret leaks during launches!
  • Compliance readiness for SOC 2 Type II has sped up by 35-50% thanks to automated evidence like approvals, rotation, and access logs.
  • We’ve also seen a 40% drop in those annoying “late-night” deploy failures. This happened because we ditched the build-time secret coupling and switched to runtime fetch + rotation.
  • On top of that, we’re saving around 25-30% in infrastructure costs by consolidating onto cloud-native KMS/Secrets instead of relying on third-party vaults that just duplicate controls.

How We Get Involved (and Where We Fit into Your Stack)

• Design + Implement: We’ll help you create and roll out architecture, Infrastructure as Code (IaC), CI/CD modifications, KMS signers, ESO, and make sure your front-end build is running smoothly. Plus, we’ll hand everything over with detailed runbooks and a SOC 2 evidence pack so you’re all set.
• Security Review and Hardening: We dive deep into a focused audit of secret flows as part of our security audit services, and we’ll tackle any issues we find right within your pipelines.
• Platform Work: Let’s integrate secrets seamlessly into your systems and decentralized applications (dapps) through our blockchain integration expertise, and we can also help you launch production-ready apps with our web3 development services and smart contract development.

Quick Reference (You can throw these in your PR checklists)

• Always keep .env* files out of the repo. Instead, go for SOPS + age and only decrypt them in CI/deploy using OIDC + KMS. Check it out here.
• When working with KMS, use secp256k1 for your deployers and relayers. Don’t export those keys! Just derive addresses from the public key and make sure to log all Sign requests. More details here.
• For Next.js, make sure to expose only public config through NEXT_PUBLIC_* during the build. Keep those secrets safely on the server during runtime. Find out more here.
• When dealing with Kubernetes, use the External Secrets Operator or Secrets Store CSI, and don't forget to enable rotation. Check that out here.
• For ZK, make sure you're using snarkjs version 0.7 or higher. Verify your PTAU/zkey in CI and always publish checksums with your releases. You can read more about it here.
• On GitHub, utilize OIDC to connect to clouds, set up Environments with required reviewers, and enable secret scanning along with push protection and custom patterns. Remember to mask all your dynamic tokens! Details can be found here.

Where to Go Deeper with 7Block

• Ready to build or scale your dapp? Check out our dapp development and custom blockchain development services to get started.
• Looking to enhance your project with cross-chain and rollup integrations? Our cross‑chain solutions development and blockchain bridge development have got you covered.
• Need a hand with fundraising? Our fundraising advisory can help you launch your project securely.

CTA: Schedule Your 90-Day Pilot Strategy Call

References

• AWS KMS ECC_SECG_P256K1, algorithms, CreateKey usage. (docs.aws.amazon.com)
• Azure Key Vault ES256K support (P‑256K) and HSM options. (learn.microsoft.com)
• Google Cloud KMS secp256k1 (HSM) and Keccak digest guidance. (cloud.google.com)
• GitHub OIDC to AWS, trust policy scoping; Environments approvals. (docs.github.com)
• External Secrets Operator docs & GA note; EKS Secrets Store CSI. (github.com)
• Next.js env variable behavior (client inlining). (nextjs.org)
• snarkjs security advisory; Powers of Tau and zkey verification. (security.snyk.io)
• OpenZeppelin Defender Relayers (keys in KMS). (docs.openzeppelin.com)
• Alchemy Bundler (ERC‑4337), Biconomy Paymaster API keys. (alchemy.com)

Book a 90-Day Pilot Strategy Call

Ready to dive into your next big project? Our 90-Day Pilot Strategy Call is just what you need to kickstart your plans!

Here's what you can expect:

• Customized Strategy: We’ll take a look at your unique goals and tailor a game plan that works specifically for you.
• Expert Insights: Tap into our team's wealth of experience and get valuable tips to navigate your challenges.
• Actionable Steps: Walk away with clear, step-by-step guidance to keep you on track.

How to Book

1. Choose a Date: Head over to our booking calendar and select a time that fits your schedule.
2. Fill Out the Form: Provide us with a bit of info about your project so we can prep for our call.
3. Confirmation: You’ll receive a confirmation email with all the details.

Let’s transform your ideas into reality! Looking forward to speaking with you soon!