The Hashicorp Vault plugin enables the storage of Quorum account private keys in a Hashicorp Vault.
It can be used with Quorum or clef
.
Using the Hashicorp Vault plugin offers several benefits:
-
Account private keys are stored in a Hashicorp Vault which can be deployed on separate infrastructure to the node
-
Vault allows for fine-grained access control to secrets
Accounts can be stored in the standard Hashicorp Vault KV v2 secret engine or the custom quorum-signer
secret engine:
-
kv
- Account private keys are stored in Vault but must be retrieved by Quorum when signing data
-
quorum-signer (v0.2.0+ only)
- Account private keys never leave the Vault boundary. Data is sent to the
quorum-signer
for signing.
- Account private keys never leave the Vault boundary. Data is sent to the
Quorum will automatically download the plugin from bintray at startup.
Alternatively, the plugin can be downloaded or built manually and added to the baseDir
:
make
cp build/dist/quorum-account-plugin-hashicorp-vault-<version>.zip /path/to/baseDir
See the quickstart examples for step-by-step walkthroughs of how to set up and manage Quorum accounts with Vault:
- Storing accounts in a
kv
secret engine: docs/quickstart-example-kv - Storing accounts in a
quorum-signer
secret engine: docs/quickstart-example-quorum-signer
See docs/configuration for complete documentation of the configuration options.
See docs/creating-accounts for details on creating Vault-stored accounts.
See docs/faq for additional info on various items.
make test
# run integration tests (vault, quorum and clef must be on PATH)
make itest