Secure Ethereum Transfers: Using Geth with Clef for Private‑Key Safety

Introduction

Protecting private keys is critical in Ethereum development. While Geth can manage accounts directly, using an external signer such as Clef isolates key management from the node, reducing the risk of key exposure.

Prerequisites

Geth node running with the --signer ipc option pointing to Clef’s IPC file.

Clef process started and managing a newly created account.

Genesis address 0x... holding 1000 ETH.

Target address managed by Clef: 0xc4c5c88bed94f97d22e68dd02ba91d31c06c10cb (initial balance 0 ETH).

Step 1 – Connect to the Geth console and check balances

Attach to the running node: geth attach ipc:\\.\pipe\geth.ipc Define variables and query balances:

// In the Geth console
var sourceAccount = "0x...";
var targetAccount = "0xc4c5c88bed94f97d22e68dd02ba91d31c06c10cb";

// Check source balance (ether)
web3.fromWei(eth.getBalance(sourceAccount), "ether"); // 1000

// Check target balance (ether)
web3.fromWei(eth.getBalance(targetAccount), "ether"); // 0

Step 2 – Build and send the transaction

Construct a transaction that moves 10 ETH from the source to the target. Because the source key resides in Clef, the from field must be explicitly set.

eth.sendTransaction({
  from: sourceAccount,
  to: targetAccount,
  value: web3.toWei(10, "ether")
});

After submitting, Geth shows a pending status while waiting for Clef’s approval.

Step 3 – Approve the transaction in Clef

Clef displays a detailed approval request in its terminal:

--------- Transaction request ------------
to:   0xC4C5C88Bed94F97D22e68dD02BA91D31C06c10CB
from: 0x... [chksum ok]
value: 10000000000000000000 wei
gas: 0x5208 (21000)
gasprice: 1000000 wei
nonce: 0x0 (0)
chainid: 0x539

Approve? [y/N]: y
Password for account 0x...: ********

Upon entering the password, Clef signs the transaction, returns the signed data to Geth, and Geth broadcasts it, printing a transaction hash such as 0x123abc....

Step 4 – Verify the transaction result

Re‑query the balances to confirm the transfer:

// Source balance (should be ~990 ETH, minus gas)
web3.fromWei(eth.getBalance(sourceAccount), "ether"); // 990

// Target balance (should be 10 ETH)
web3.fromWei(eth.getBalance(targetAccount), "ether"); // 10

The source account decreased by 10 ETH (plus a small gas fee) and the target account received the 10 ETH, confirming a successful transfer.

Process diagram

The following diagram visualizes the full workflow from transaction creation to Clef approval and Geth broadcast:

Key takeaways

Separation of duties: Geth handles node operations while Clef exclusively manages private keys and signing.

Manual review: Clef’s approval prompt provides an extra security checkpoint before any signature is produced.

Explicit source address: When using an external signer, the from field must be set in eth.sendTransaction to indicate the paying account.

Practical tip

For repetitive, pattern‑based transactions (e.g., in test scripts), manually entering passwords each time is cumbersome. Clef supports JavaScript‑based Rules that can automatically approve transactions meeting criteria such as a specific destination address and an amount below 1 ETH.