Skip to content
You are reading GoQuorum development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Subcommands

keygen

Use the keygen subcommand to generate one or more key pairs to store in files or a supported key vault.

argonconfig, keygenconfig

tessera keygen --argonconfig <FILE>
tessera keygen --argonconfig /home/me/node1/argonoptions.json

JSON file containing settings to override the default Argon2 configuration.

Legacy syntax for this option is -keygenconfig <FILE>.

configfile

tessera keygen --configfile <FILE>
tessera keygen --configfile /home/me/me_node/tessera.conf

Path to the node’s configuration file.

Provide this option when updating a configuration file with new keys. If configout and pwdout are not provided, the updated configuration file prints to the terminal.

configout

tessera keygen --configout <FILE>
tessera keygen --configfile /home/me/me_node/tessera.conf --configout /home/me/me_node/update/tessera.conf

Path to save the updated configuration file to. To use this option, you must supply the --configfile option.

Legacy syntax for this option is -output <FILE>.

debug

tessera keygen --debug

Prints full exception stack traces to stdout.

encryptor.ellipticCurve

tessera keygen --encryptor.ellipticCurve <STRING>
tessera keygen --encryptor.ellipticCurve secp384r1

Elliptic curve to use for key generation. Defaults to secp256r1.

encryptor.nonceLength

tessera keygen --encryptor.nonceLength <INTEGER>
tessera keygen --encryptor.nonceLength 38

Nonce length to use as the initialization vector (IV) for symmetric encryption. Defaults to 24.

encryptor.sharedKeyLength

tessera keygen --encryptor.sharedKeyLength <INTEGER>
tessera keygen --encryptor.sharedKeyLength 48

Key length to use for symmetric encryption when generating keys. Defaults to 32.

encryptor.symmetricCipher

tessera keygen --encryptor.symmetricCipher <STRING>
tessera keygen --encryptor.symmetricCipher AES/CTR/NoPadding

Symmetric cipher to use for encrypting data. Defaults to AES/GCM/NoPadding.

encryptor.type

tessera keygen --encryptor.type <STRING>
tessera keygen --encryptor.type EC

Encryption type. Possible values are EC, NACL, and CUSTOM. Defaults to NACL

keyout, filename

tessera keygen --keyout <FILE>[,<FILE>...]
tessera keygen --keyout /Users/me/keys/nodeKey1,/Users/me/keys/nodeKey2

Comma-separated list of key files to generate. The number of arguments determines the number of key pairs to generate. Defaults to null.

Legacy syntax for this option is -filename <FILE>[,<FILE>...].

pwdout

tessera keygen --pwdout <FILE>
tessera keygen --pwdout /home/me/me_node/passwordFile

Path to save updated password list to. To use this option, you must supply the --configout and --configfile options.

vault.hashicorp.approlepath

tessera keygen --vault.hashicorp.approlepath <PATH>
tessera keygen --vault.hashicorp.approlepath auth/approle/login

AppRole path for HashiCorp Vault authentication. Defaults to approle.

Legacy syntax for this option is -keygenvaultapprole <PATH>.

vault.hashicorp.secretenginepath

tessera keygen --vault.hashicorp.secretenginepath <PATH>
tessera keygen --vault.hashicorp.secretenginepath /engine/secret

Path to the v2 HashiCorp Vault secret engine.

Legacy syntax for this option is -keygenvaultsecretengine <PATH>.

vault.hashicorp.tlskeystore

tessera keygen --vault.hashicorp.tlskeystore <FILE>
tessera keygen --vault.hashicorp.tlskeystore /Users/me/auth/keystore.jks

Path to JKS keystore for TLS communication with HashiCorp Vault.

Legacy syntax for this option is -keygenvaultkeystore <FILE>.

vault.hashicorp.tlstruststore

tessera keygen --vault.hashicorp.tlstruststore <FILE>
tessera keygen --vault.hashicorp.tlstruststore /Users/me/auth/truststore.jks

Path to JKS truststore for TLS communication with HashiCorp Vault.

Legacy syntax for this option is -keygenvaulttruststore <FILE>.

vault.type

tessera keygen --vault.type <STRING>
tessera keygen --vault.type HASHICORP

Key vault provider in which to save the generated key.

If not specified, keys are encrypted and stored on the local filesystem. Valid options are AZURE, AWS, and HASHICORP.

Legacy syntax for this option is keygenvaulttype <STRING>.

vault.url

tessera keygen --vault.url <STRING>
tessera keygen --vault.url https://secretsmanager.us-west-2.amazonaws.com

Key vault base URL.

Legacy syntax for this option is -keygenvaulturl <STRING>.

keyupdate, -updatepassword

Update the password or encryption options for an already locked key, or apply a new password to an unlocked key.

Legacy syntax for this subcommand is -updatepassword [COMMAND OPTIONS].

configfile

tessera keyupdate --configfile <FILE>
tessera keyupdate --configfile /home/me/me_node/tessera.conf

Path to the node’s configuration file.

debug

tessera keyupdate --debug

Prints full exception stack traces to stdout.

encryptor.ellipticCurve

tessera keyupdate --encryptor.ellipticCurve <STING>
tessera keyupdate --encryptor.ellipticCurve secp384r1

Elliptic curve to use for the updated keys. Defaults to secp256r1.

encryptor.nonceLength

tessera keyupdate --encryptor.nonceLength <INTEGER>
tessera keyupdate --encryptor.nonceLength 38

Nonce length to use as the initialization vector (IV) for symmetric encryption. Defaults to 24.

encryptor.sharedKeyLength

tessera keyupdate --encryptor.sharedKeyLength <INTEGER>
tessera keyupdate --encryptor.sharedKeyLength 48

Key length to use for symmetric encryption when updating keys. Defaults to 32.

encryptor.symmetricCipher

tessera keyupdate --encryptor.symmetricCipher <STRING>
tessera keyupdate --encryptor.symmetricCipher AES/CTR/NoPadding

Symmetric cipher to use for encrypting data. Defaults to AES/GCM/NoPadding.

encryptor.type

tessera keyupdate --encryptor.type <STRING>
tessera keyupdate --encryptor.type EC

Encryption type. Possible values are EC, NACL, and CUSTOM. Defaults to NACL.

keys.keyData.config.data.aopts.algorithm

tessera keyupdate --keys.keyData.config.data.aopts.algorithm <STRING>
tessera keyupdate --keys.keyData.config.data.aopts.algorithm id

Argon2 variant to use. Defaults to i.

Valid options are i, d, and id.

keys.keyData.config.data.aopts.iterations

tessera keyupdate --keys.keyData.config.data.aopts.iterations <INTEGER>
tessera keyupdate --keys.keyData.config.data.aopts.iterations 4

Number of Argon2 iterations to perform. Defaults to 10.

keys.keyData.config.data.aopts.memory

tessera keyupdate --keys.keyData.config.data.aopts.memory <INTEGER>
tessera keyupdate --keys.keyData.config.data.aopts.memory 1248480

Sets the Argon2 memory usage. Defaults to 1048576.

keys.keyData.config.data.aopts.parallelism

tessera keyupdate --keys.keyData.config.data.aopts.parallelism <INTEGER>
tessera keyupdate --keys.keyData.config.data.aopts.parallelism 6

Sets the number of parallel Argon2 threads. Defaults to 4.

keys.keyData.privateKeyPath

tessera keyupdate --keys.keyData.privateKeyPath <PATH>
tessera keyupdate --keys.keyData.privateKeyPath /Users/me/mynode/nodekey.key

Path to the private key file to update. This option is required.

keys.password

tessera keyupdate --keys.passwordFile <STRING>
tessera keyupdate --keys.passwordFile changeme

Password to unlock the private key specified using keys.keyData.privateKeyPath.

keys.passwordFile

tessera keyupdate --keys.passwordFile <FILE>
tessera keyupdate --keys.passwordFile /Users/me/mynode/passwordFile

File containing the password to unlock the private key specified using keys.keyData.privateKeyPath.

version

tessera version

Prints version information and exits.

ConsenSys has acquired Quorum from J.P. Morgan. Please read the FAQ.
Questions or feedback? You can discuss issues and obtain free support on Tessera Slack channel.
For paid professional support by ConsenSys, contact us at quorum@consensys.net