Skip to content
You are reading Tessera development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

HashiCorp Vault key pairs

To configure Tessera to use HashiCorp Vault key pairs, provide the vault information in the configuration file. You can use Tessera to generate HashiCorp Vault keys.

You can provide additional configuration items if the vault is configured to use TLS, and if the AppRole authentication method is used at a non-default path.

HashiCorp Vault key pair configuration

"keys": {
    "keyVaultConfigs": [
            "keyVaultType": "HASHICORP",
            "properties": {
                "url": "https://localhost:8200",
                "tlsKeyStorePath": "/path/to/keystore.jks",
                "tlsTrustStorePath": "/path/to/truststore.jks",
                "approlePath": "not-default"
    "keyData": [
            "hashicorpVaultSecretEngineName": "engine",
            "hashicorpVaultSecretName": "secret",
            "hashicorpVaultSecretVersion": 1,
            "hashicorpVaultPrivateKeyId": "privateKey",
            "hashicorpVaultPublicKeyId": "publicKey",

This example configuration retrieves version 1 of the secret engine/secret from its corresponding values for privateKey and publicKey.

If no hashicorpVaultSecretVersion is provided, the latest version of the secret is retrieved.

Tessera requires TLS certificates and keys to be stored in the .jks Java keystore format. If the .jks files are password protected, the following environment variables must be set:



Additional environment variables must be set and a version 2 Key/Value secrets engine must be enabled.

ConsenSys has acquired Quorum from J.P. Morgan. Please read the FAQ.
Questions or feedback? You can discuss issues and obtain free support on Tessera Slack channel.