Skip to content
You are reading GoQuorum development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Store keys in HashiCorp Vault


You can use Tessera to generate a private and public key pair in HashiCorp Vault. The following example creates secrets with IDs publicKey and privateKey at the secret path secretEngine/secretName:

tessera -keygen -keygenvaulttype HASHICORP -keygenvaulturl <url> \
   -keygenvaultsecretengine secretEngine -filename secretName

The -filename option can be used to generate and store multiple key pairs at the same time:

tessera -keygen -keygenvaulttype HASHICORP -keygenvaulturl <url> \
   -keygenvaultsecretengine secretEngine -filename myNode/keypairA,myNode/keypairB

Options exist for configuring TLS and AppRole authentication. By default, the AppRole path is set to approle.

tessera -keygen -keygenvaulttype HASHICORP -keygenvaulturl <url> \
   -keygenvaultsecretengine <secretEngineName> -filename <secretName> \
   -keygenvaultkeystore <JKS file> -keygenvaulttruststore <JKS file> \
   -keygenvaultapprole <authpath>


Saving a new key pair to an existing secret overwrites the values stored at that secret. Previous versions of secrets can be retained and retrieved by Tessera depending on how the K/V secrets engine is configured. When doing this, ensure to specify the correct secret version in your Tessera configuration.

ConsenSys has acquired Quorum from J.P. Morgan. Please read the FAQ.
Questions or feedback? You can discuss issues and obtain free support on Tessera Slack channel.
For paid professional support by ConsenSys, contact us at