Hashicorp Vault plugin for Quorum

The Hashicorp Vault plugin enables the storage of Quorum account private keys in a Hashicorp Vault.

It can be used with Quorum or clef.

Using the Hashicorp Vault plugin offers several benefits:

• Account private keys are stored in a Hashicorp Vault which can be deployed on separate infrastructure to the node

• Vault allows for fine-grained access control to secrets

Storage options

Accounts can be stored in the standard Hashicorp Vault KV v2 secret engine or the custom quorum-signer secret engine:

• kv

  • Account private keys are stored in Vault but must be retrieved by Quorum when signing data

• quorum-signer (v0.2.0+ only)

  • Account private keys never leave the Vault boundary. Data is sent to the quorum-signer for signing.

Building

Quorum will automatically download the plugin from bintray at startup.

Alternatively, the plugin can be downloaded or built manually and added to the baseDir:

make
cp build/dist/quorum-account-plugin-hashicorp-vault-<version>.zip /path/to/baseDir

Quickstart

See the quickstart examples for step-by-step walkthroughs of how to set up and manage Quorum accounts with Vault:

• Storing accounts in a kv secret engine: docs/quickstart-example-kv
• Storing accounts in a quorum-signer secret engine: docs/quickstart-example-quorum-signer

Configuration

See docs/configuration for complete documentation of the configuration options.

Creating accounts

See docs/creating-accounts for details on creating Vault-stored accounts.

FAQ

See docs/faq for additional info on various items.

Run tests

make test

# run integration tests (vault, quorum and clef must be on PATH)
make itest

Further reading

• Quorum key management