diff --git a/Cargo.lock b/Cargo.lock
index 5bd4326..a4875f0 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3937,6 +3937,7 @@ dependencies = [
  "tracing-subscriber 0.3.19",
  "tracing-test",
  "url",
+ "zeroize",
  "zerokit_utils",
 ]
 
@@ -4905,6 +4906,7 @@ dependencies = [
  "thiserror 2.0.12",
  "tokio",
  "url",
+ "zeroize",
 ]
 
 [[package]]
diff --git a/Cargo.toml b/Cargo.toml
index e00fad7..9869e6f 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -18,6 +18,7 @@ alloy = { version = "1.0", features = ["getrandom", "sol-types", "contract", "pr
 async-trait = "0.1"
 derive_more = "2.0.1"
 thiserror = "2.0"
+zeroize = "1.8"
 # dev
 criterion = { version = "0.6", features = ["async_tokio"] }
 
diff --git a/prover/Cargo.toml b/prover/Cargo.toml
index 8f54679..a22638f 100644
--- a/prover/Cargo.toml
+++ b/prover/Cargo.toml
@@ -45,6 +45,7 @@ zerokit_utils = { git = "https://github.com/vacp2p/zerokit", package = "zerokit_
 rln_proof = { path = "../rln_proof" }
 smart_contract = { path = "../smart_contract" }
 rayon = "1.7"
+zeroize.workspace = true
 
 [build-dependencies]
 tonic-build = "*"
diff --git a/prover/src/grpc_service.rs b/prover/src/grpc_service.rs
index 1d05619..a44fb1a 100644
--- a/prover/src/grpc_service.rs
+++ b/prover/src/grpc_service.rs
@@ -21,6 +21,7 @@ use tonic_web::GrpcWebLayer;
 use tower_http::cors::{Any, CorsLayer};
 use tracing::{debug, error};
 use url::Url;
+use zeroize::Zeroizing;
 // internal
 use crate::error::{AppError, ProofGenerationStringError};
 use crate::metrics::{
@@ -313,10 +314,10 @@ impl GrpcProverService {
             panic!("Please provide karma_sc_info or use serve_with_mock");
         };
         let karma_rln_sc = if let Some(rln_sc_info) = self.rln_sc_info.as_ref() {
-            let private_key = std::env::var("PRIVATE_KEY").map_err(|_| {
+            let private_key = Zeroizing::new(std::env::var("PRIVATE_KEY").map_err(|_| {
                 error!("PRIVATE_KEY environment variable is not set");
                 AppError::RlnScError(RlnScError::EmptyPrivateKey)
-            })?;
+            })?);
             KarmaRLNSCInstance::try_new_with_signer(
                 rln_sc_info.0.clone(),
                 rln_sc_info.1,
diff --git a/smart_contract/Cargo.toml b/smart_contract/Cargo.toml
index 535213c..4d335ef 100644
--- a/smart_contract/Cargo.toml
+++ b/smart_contract/Cargo.toml
@@ -24,6 +24,7 @@ log = "0.4.27"
 tokio = { version = "1", features = ["macros", "rt-multi-thread"] }
 clap = { version = "4.0", features = ["derive"] }
 rustls = "0.23.31"
+zeroize.workspace = true
 
 [dev-dependencies]
 claims = "0.8"
diff --git a/smart_contract/src/rln_sc.rs b/smart_contract/src/rln_sc.rs
index a07ed0b..e5d9915 100644
--- a/smart_contract/src/rln_sc.rs
+++ b/smart_contract/src/rln_sc.rs
@@ -12,6 +12,7 @@ use alloy::{
 use async_trait::async_trait;
 use std::str::FromStr;
 use url::Url;
+use zeroize::Zeroizing;
 // internal
 use crate::common::AlloyWsProvider;
 
@@ -73,7 +74,7 @@ impl KarmaRLNSC::KarmaRLNSCInstance<AlloyWsProvider> {
     pub async fn try_new_with_signer(
         rpc_url: Url,
         address: Address,
-        private_key: String,
+        private_key: Zeroizing<String>,
     ) -> Result<KarmaRLNSC::KarmaRLNSCInstance<impl alloy::providers::Provider>, RlnScError> {
         if private_key.is_empty() {
             return Err(RlnScError::EmptyPrivateKey);
diff --git a/smart_contract/src/rln_sc_test.rs b/smart_contract/src/rln_sc_test.rs
index 1383eed..2561539 100644
--- a/smart_contract/src/rln_sc_test.rs
+++ b/smart_contract/src/rln_sc_test.rs
@@ -1,12 +1,16 @@
+// std
+use std::str::FromStr;
+// third-party
 use alloy::{
     hex,
     primitives::{Address, U256},
 };
 use clap::Parser;
 use rustls::crypto::aws_lc_rs;
-use smart_contract::{KarmaRLNSC, RlnScError};
-use std::str::FromStr;
 use url::Url;
+use zeroize::Zeroizing;
+// internal
+use smart_contract::{KarmaRLNSC, RlnScError};
 
 #[derive(Parser, Debug)]
 #[command(author, version, about, long_about = None)]
@@ -20,6 +24,7 @@ struct Args {
     contract_address: String,
 
     /// Private key for signing transactions
+    /// Warning: this is a test key, do not use in production
     #[arg(long, default_value = "")]
     private_key: String,
 
@@ -61,7 +66,7 @@ async fn main() -> Result<(), RlnScError> {
 
     // Connect to KarmaRLN contract with signer
     let rln_contract =
-        KarmaRLNSC::KarmaRLNSCInstance::try_new_with_signer(url, contract_addr, args.private_key)
+        KarmaRLNSC::KarmaRLNSCInstance::try_new_with_signer(url, contract_addr, Zeroizing::new(args.private_key))
             .await?;
 
     println!("Successfully connected to RLN contract with signer at {contract_addr}",);