Skip to content
You are reading Web3Signer development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Using Web3Signer with HashiCorp Vault

Web3Signer supports storing the signing key in HashiCorp Vault.

Storing a private key in HashiCorp Vault

After installing HashiCorp Vault and starting the server:

  1. Set the VAULT_ADDR environment variable using the command displayed after starting the server:

    export VAULT_ADDR='http://127.0.0.1:8200'
    
  2. Copy or save the root token displayed after starting the server in a file.

  3. Enable the secret mount point using KV v2 engine:

    Example

    Using Vault CLI, enable the KV v2 secret mount point:

    vault secrets enable -path=secret kv-v2
    

    Note

    Use kv-v2 type as indicated in KV v2 doc. Web3Signer only works with v2 secrets.

    Example Vault command to check if an existing secret is v1 or v2

    If the engine used is V2, the secret is versioned and you can see the metadata with version field:

    vault kv get /secret/web3signerSigningKey
    
    ====== Metadata ======
    Key              Value
    ---              -----
    created_time     2020-11-27T10:15:59.91752Z
    deletion_time    n/a
    destroyed        false
    version          1
    
    ==== Data ====
    Key      Value
    ---      -----
    value    17079f966aa2d5db1678ed32467165bbbd640868e7371ade8d5812ea856d2bbf
    
    ==== Data ====
    Key      Value
    ---      -----
    value    17079f966aa2d5db1678ed32467165bbbd640868e7371ade8d5812ea856d2bbf
    
  4. Write the key in HashiCorp Vault as a hex string (without 0x prefix):

    vault kv put secret/web3signerSigningKey value=<Private Key without 0x prefix>
    
    vault kv put secret/web3signerSigningKey value=17079f966aa2d5db1678ed32467165bbbd640868e7371ade8d5812ea856d2bbf
    

Create the Known Servers File

The known servers file is required if TLS is enabled, to disable TLS set tlsEnabled to false.

Specify the location of the known servers file in the tlsKnownServersPath option of the signing key configuration file.

The file contents use the format <hostame>:<port> <hex-string> where:

  • <hostname> is the server hostname
  • <port> is the port used for communication
  • <hex-string> is the SHA-256 fingerprint of the server’s certificate.

Example

localhost:8200 7C:B3:3E:F9:98:43:5E:62:69:9F:A9:9D:41:14:03:BA:83:24:AC:04:CE:BD:92:49:1B:8D:B2:A4:86:39:4C:BB
127.0.0.1:8200 7C:B3:3E:F9:98:43:5E:62:69:9F:A9:9D:41:14:03:BA:83:24:AC:04:CE:BD:92:49:1B:8D:B2:A4:86:39:4C:BB

Start Web3Signer and specify the location of the signing key configuration file.

Questions or feedback? You can discuss issues and obtain free support on Web3Signer Discord channel.
For paid professional support by Consensys, contact us at quorum@consensys.net