Skip to content

A Quorum account plugin that enables storing accounts in a Hashicorp Vault

License

Notifications You must be signed in to change notification settings

Consensys/quorum-account-plugin-hashicorp-vault

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Hashicorp Vault plugin for Quorum

The Hashicorp Vault plugin enables the storage of Quorum account private keys in a Hashicorp Vault.

It can be used with Quorum or clef.

Using the Hashicorp Vault plugin offers several benefits:

  • Account private keys are stored in a Hashicorp Vault which can be deployed on separate infrastructure to the node

  • Vault allows for fine-grained access control to secrets

Storage options

Accounts can be stored in the standard Hashicorp Vault KV v2 secret engine or the custom quorum-signer secret engine:

  • kv

    • Account private keys are stored in Vault but must be retrieved by Quorum when signing data
  • quorum-signer (v0.2.0+ only)

    • Account private keys never leave the Vault boundary. Data is sent to the quorum-signer for signing.

Building

Quorum will automatically download the plugin from bintray at startup.

Alternatively, the plugin can be downloaded or built manually and added to the baseDir:

make
cp build/dist/quorum-account-plugin-hashicorp-vault-<version>.zip /path/to/baseDir

Quickstart

See the quickstart examples for step-by-step walkthroughs of how to set up and manage Quorum accounts with Vault:

Configuration

See docs/configuration for complete documentation of the configuration options.

Creating accounts

See docs/creating-accounts for details on creating Vault-stored accounts.

FAQ

See docs/faq for additional info on various items.

Run tests

make test

# run integration tests (vault, quorum and clef must be on PATH)
make itest

Further reading