Skip to content
You are reading GoQuorum development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Store keys in HashiCorp Vault

You can use Tessera to generate a private and public key pair in HashiCorp Vault. You must have HashiCorp Vault configured and running.

The following example creates secrets with IDs publicKey and privateKey at the secret path secretEngine/secretName:

tessera -keygen -keygenvaulttype HASHICORP -keygenvaulturl <url> \
   -keygenvaultsecretengine secretEngine -filename secretName

You can use the -filename option to generate and store multiple key pairs at the same time:

tessera -keygen -keygenvaulttype HASHICORP -keygenvaulturl <url> \
   -keygenvaultsecretengine secretEngine -filename myNode/keypairA,myNode/keypairB

Options exist for configuring TLS and AppRole authentication. By default, the AppRole path is set to approle.

tessera -keygen -keygenvaulttype HASHICORP -keygenvaulturl <url> \
   -keygenvaultsecretengine <secretEngineName> -filename <secretName> \
   -keygenvaultkeystore <JKS file> -keygenvaulttruststore <JKS file> \
   -keygenvaultapprole <authpath>

You can configure Tessera to use HashiCorp Vault keys.


Saving a new key pair to an existing secret overwrites the values stored at that secret. Previous versions of secrets can be retained and retrieved by Tessera depending on how the K/V secrets engine is configured. When doing this, ensure you specify the correct secret version in your Tessera configuration.

ConsenSys has acquired Quorum from J.P. Morgan. Please read the FAQ.
Questions or feedback? You can discuss issues and obtain free support on Tessera Slack channel.
For paid professional support by ConsenSys, contact us at [email protected].