Skip to content
You are reading GoQuorum development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Subcommands

keygen

Use the keygen subcommand to generate one or more key pairs to store in files or a supported key vault.

argonconfig, keygenconfig

--argonconfig <FILE>
--argonconfig /home/me/node1/argonoptions.json

JSON file containing settings to override the default Argon2 configuration.

Alternate syntax for this option is -keygenconfig <FILE>.

debug

--debug

Prints full exception stack traces to STDOUT.

encryptor.ellipticCurve

--encryptor.ellipticCurve <STING>
--encryptor.ellipticCurve secp384r1

The elliptic curve to use for key generation. Defaults to secp256r1.

encryptor.nonceLength

--encryptor.nonceLength <INTEGER>
--encryptor.nonceLength 38

The nonce length used as the initialization vector (IV) for symmetric encryption. Defaults to 24.

encryptor.sharedKeyLength

--encryptor.sharedKeyLength <INTEGER>
--encryptor.sharedKeyLength 48

The key length used for symmetric encryption when generating keys. Defaults to 32.

encryptor.symmetricCipher

--encryptor.symmetricCipher <STRING>
--encryptor.symmetricCipher AES/CTR/NoPadding

The symmetric cipher to use for encrypting data. Defaults to AES/GCM/NoPadding.

encryptor.type

--encryptor.type <STRING>
--encryptor.type EC

The encryption type. Possible values are EC, NACL, and CUSTOM. Defaults to NACL

keyout, filename

--keyout <FILE>[,<FILE>...]
--keyout /Users/me/keys/nodeKey1,/Users/me/keys/nodeKey2

Comma-separated list of key files to generate. The number of arguments determines the number key pairs to generate. Defaults to null.

Alternate syntax for this option is -filename <FILE>[,<FILE>...].

vault.hashicorp.approlepath

--vault.hashicorp.approlepath <PATH>
--vault.hashicorp.approlepath auth/approle/login

The AppRole path for HashiCorp Vault authentication. Defaults to approle.

Alternate syntax for this option is -keygenvaultapprole <PATH>

vault.hashicorp.tlskeystore

--vault.hashicorp.tlskeystore <FILE>
--vault.hashicorp.tlskeystore /Users/me/auth/keystore.jks

Path to JKS keystore for TLS communication with HashiCorp Vault.

Alternate syntax for this option is -keygenvaultkeystore <FILE>.

vault.hashicorp.secretenginepath

--vault.hashicorp.secretenginepath <PATH>
--vault.hashicorp.secretenginepath /engine/secret

Path to the v2 HashiCorp Vault secret engine.

Alternate syntax for this option is -keygenvaultsecretengine <PATH>.

vault.hashicorp.tlstruststore

--vault.hashicorp.tlstruststore <FILE>
--vault.hashicorp.tlstruststore /Users/me/auth/truststore.jks

Path to JKS truststore for TLS communication with HashiCorp Vault.

Alternate syntax for this option is -keygenvaulttruststore <FILE>.

vault.type

--vault.type <STRING>
--vault.type HASHICORP

The key vault provider in which to save the generated key.

If not specified, keys are encrypted and stored on the local filesystem. Valid options are AZURE, AWS, and HASHICORP.

Alternate syntax for this option is keygenvaulttype <STRING>.

vault.url

--vault.url <STRING>
--vault.url https://secretsmanager.us-west-2.amazonaws.com

Key vault base URL.

Alternate syntax for this option is -keygenvaulturl <STRING>.

configfile

--configfile <FILE>
--config-file /home/me/me_node/tessera.conf

The path to the Node’s configuration file.

Provide this option when updating a configuration file with new keys. If --configout and pwdout is not provided, the updated configuration file prints to the terminal.

configout

--configout <FILE>
--configout /home/me/me_node/update/tessera.conf

Path to save the updated configuration file to. You must supply the --configfile option.

Alternate syntax for this option is -output <FILE>.

pwdout

--pwdout <FILE>
--pwdout /home/me/me_node/passwordFile

Path to save updated password list to. You must supply the --configout and --configfile options.

keyupdate, updatepassword

Update the password or encryption options for an already locked key, or apply a new password to an unlocked key.

configfile

--configfile <FILE>
--config-file /home/me/me_node/tessera.conf

The path to the Node’s configuration file.

debug

--debug

Prints full exception stack traces to STDOUT.

encryptor.ellipticCurve

--encryptor.ellipticCurve <STING>
--encryptor.ellipticCurve secp384r1

The elliptic curve to use for the updated keys. Defaults to secp256r1.

encryptor.nonceLength

--encryptor.nonceLength <INTEGER>
--encryptor.nonceLength 38

The nonce length used as the initialization vector (IV) for symmetric encryption. Defaults to 24.

encryptor.sharedKeyLength

--encryptor.sharedKeyLength <INTEGER>
--encryptor.sharedKeyLength 48

The key length used for symmetric encryption when updating keys. Defaults to 32.

encryptor.symmetricCipher

--encryptor.symmetricCipher <STRING>
--encryptor.symmetricCipher AES/CTR/NoPadding

The symmetric cipher to use for encrypting data. Defaults to AES/GCM/NoPadding.

encryptor.type

--encryptor.type <STRING>
--encryptor.type EC

The encryption type. Possible values are EC, NACL, and CUSTOM. Defaults to NACL

keys.keyData.config.data.aopts.algorithm

--keys.keyData.config.data.aopts.algorithm <STRING>
--keys.keyData.config.data.aopts.algorithm id

The Argon2 variant to use. Defaults to i.

Valid options are i, d, and id.

keys.keyData.config.data.aopts.iterations

--keys.keyData.config.data.aopts.iterations <INTEGER>
--keys.keyData.config.data.aopts.iterations 4

The number of Argon2 iterations to perform. Defaults to 10.

keys.keyData.config.data.aopts.memory

--keys.keyData.config.data.aopts.memory <INTEGER>
--keys.keyData.config.data.aopts.memory 1248480

Sets the Argon2 memory usage. Defaults to 1048576.

keys.keyData.config.data.aopts.parallelism

--keys.keyData.config.data.aopts.parallelism <INTEGER>
--keys.keyData.config.data.aopts.parallelism 6

Set the number of parallel Argon2 threads. Defaults to 4.

keys.keyData.privateKeyPath

--keys.keyData.privateKeyPath <PATH>
--keys.keyData.privateKeyPath /Users/me/mynode/nodekey.key

Path to the private key file to update. This option is mandatory.

keys.passwordFile

--keys.passwordFile <FILE>
--keys.passwordFile /Users/me/mynode/passwordFile

File containing the password to unlock the private key specified using keys.keyData.privateKeyPath.

keys.password

--keys.passwordFile <STRING>
--keys.passwordFile changeme

Password to unlock the private key specified using keys.keyData.privateKeyPath.

ConsenSys has acquired Quorum from J.P. Morgan. Please read the FAQ.
Questions or feedback? You can discuss issues and obtain free support on Tessera Slack channel.
For paid professional support by ConsenSys, contact us at quorum@consensys.net