hdwallet-provider requires plaintext mnemonic

• I’ve asked for help in the Truffle Gitter before filing this issue.

Issue

hdwallet-provider requires plaintext mnemonic.

Steps to Reproduce

I want to deploy a contract to a network using truffle/hdwallet-provider and truffle migrate --network rinkeby, for example. Accordingly, I’ve defined by truffle-config.js file like so:

const HDWalletProvider = require('@truffle/hdwallet-provider');
const fs = require('fs');
const mnemonic = fs.readFileSync(".keysToTheKingdom").toString().trim();

const infuraURL = 'https://rinkeby.infura.io/v3/MY-PROJECT-ID'
const infuraKey = fs.readFileSync(".infuraProjectSecret").toString().trim();

var HDWallet = require('@truffle/hdwallet-provider')

module.exports = {
  networks: {
      rinkeby: {
	  provider: () => new HDWalletProvider(mnemonic, infuraURL),
	  network_id: 4,       // Rinkeby's network id 
	  gas: 5500000,
      },
};

This works, but requires me to store my mnemonic on my host in plaintext somewhere. This is insecure, regardless of the fact that I’m storing it in a hidden file.

Expected Behavior

Do not require plaintext wallet mnemonics to deploy to networks. Instead, some public keys or a hash of the wallet mnemonic should be provided.

Or some other workaround?

Actual Results

Deployment to network works, but this requires storing wallet mnemonics in plaintext on the host somewhere. If the host becomes compromised, the keys to the kingdom, and my entire net worth, are lost. Storing this in plaintext is wild because of how critical this mnemonic is. It’s 2020 - we don’t store passwords in plaintext in a file on our host… why should we do it with something so critical as a wallet mnemonic?

Environment

• Operating System: Ubuntu 18.04
• Ethereum client: geth v1.9.21
• Truffle version (truffle version): 5.1.43
• node version (node --version): 8.10.0
• npm version (npm --version): 6.14.8