Skip to content
You are reading Tessera development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Secure private keys using Argon2

You can encrypt private keys with a password during key generation.

After generating password-protected keys, you must add the password must to the configuration file to ensure it can be decrypted.

You can add passwords inline using "passwords":[], or store them in an external file referenced by "passwordFile": "Path".


The number of arguments/file lines provided must equal the total number of private keys. For example, if there are three total keys and the second is not password secured, the second argument/line must be blank or contain placeholder data.

Tessera uses Argon2 to encrypt private keys. By default, Argon2 is configured as follows:

    "variant": "id",
    "memory": 1048576,
    "iterations": 10,
    "parallelism": 4

You can change the Argon2 configuration by using the -keygenconfig option. Any override file must have the same format as the default configuration, and all options must be provided.

tessera -keygen -filename /path/to/key1 -keygenconfig /path/to/argonoptions.json
ConsenSys has acquired Quorum from J.P. Morgan. Please read the FAQ.
Questions or feedback? You can discuss issues and obtain free support on Tessera Slack channel.