Security
Local-first. No backend. Your keys never leave your browser.
Architecture
HotKey Wallet is a Chrome extension that runs entirely in your browser. There are no hosted wallets, accounts, or backend databases. Everything critical happens locally:
- Private keys are encrypted and stored in
chrome.storage.local - Trades are signed in the extension service worker
- External communication is limited to Solana RPC, Jupiter, Helius, Jito, and market-data APIs
Key Encryption
- Password derivation: Your password is run through PBKDF2 with 100,000 iterations and a random salt.
- Encryption: Private keys are encrypted with AES-256-GCM using the derived key and a random IV.
- Storage: The encrypted blob, salt, and IV are stored in Chrome's local storage. The password is never stored.
- Decryption: Unlocking re-derives the key from your password. A wrong password fails decryption.
Why PBKDF2 with 100K iterations? It makes brute-force password guessing computationally expensive if encrypted browser data is ever extracted.
Memory Management
When your wallet is unlocked, decrypted private keys are held in the service worker's memory, not written back to storage.
- Process-isolated: Other extensions and web pages cannot access it
- Cleared on lock: Auto-lock or manual lock wipes decrypted keys
- Cleared on restart: If Chrome suspends the service worker, keys are gone
Auto-Lock
Configurable inactivity timeout defaults to 15 minutes. When triggered:
- All decrypted private keys are deleted from memory.
- The sidebar switches to the lock screen.
- No trades can be executed until you re-enter your password.
Content Security Policy
script-src 'self'— only bundled extension scripts can executeobject-src 'self'— no external plugins or objects
Transaction Signing
- The extension builds the transaction for a swap, send, or limit order.
- The transaction is signed with your decrypted private key in memory.
- The signed transaction is sent to the blockchain through your selected route.
- Private keys never leave the extension process.
Network Communication
- Solana RPC — balance queries, transaction submission, account info
- Jupiter API — swap quotes, token search, and limit order management
- Helius API — transaction history, token metadata, and holder verification
- Jito Block Engine — bundle submission when using the Jito engine
- DexScreener API — token prices and market data
- Google Analytics — optional anonymized feature usage, with opt-out available
No private keys or seed phrases are ever sent to any external service.
Best Practices
- Use a strong, unique password.
- Back up private keys immediately after creating or importing a wallet.
- Set auto-lock to 5 or 15 minutes.
- Never share your password or private keys with anyone.
- Use balance hiding when screen sharing.
- Keep Chrome and the extension updated.