Skip to main content

Use Web3Signer with HashiCorp Vault

Web3Signer supports storing the signing key in HashiCorp Vault.

Store a private key in HashiCorp Vault

After installing HashiCorp Vault and starting the server:

  1. Set the VAULT_ADDR environment variable using the command displayed after starting the server:

    export VAULT_ADDR='http://127.0.0.1:8200'
  2. Copy or save the root token displayed after starting the server in a file.

  3. Enable the secret mount point using KV v2 engine. Using Vault CLI, enable the KV v2 secret mount point:

    vault secrets enable -path=secret kv-v2
    note

    Use kv-v2 type as indicated in KV v2 doc. Web3Signer only works with v2 secrets.

    If the engine used is V2, the secret is versioned and you can see the metadata with version field:

    vault kv get /secret/web3signerSigningKey
====== Metadata ======
Key Value
--- -----
created_time 2020-11-27T10:15:59.91752Z
deletion_time n/a
destroyed false
version 1

==== Data ====
Key Value
--- -----
value 17079f966aa2d5db1678ed32467165bbbd640868e7371ade8d5812ea856d2bbf
  1. Write the key in HashiCorp Vault as a hex string (without 0x prefix):
vault kv put secret/web3signerSigningKey value=<Private Key without 0x prefix>

Create the known servers file

The known servers file is required if TLS is enabled, to disable TLS set tlsEnabled to false.

Specify the location of the known servers file in the tlsKnownServersPath option of the signing key configuration file.

The file contents use the format <hostname>:<port> <hex-string> where:

  • <hostname> is the server hostname.
  • <port> is the port used for communication.
  • <hex-string> is the SHA-256 fingerprint of the server's certificate.
localhost:8200 7C:B3:3E:F9:98:43:5E:62:69:9F:A9:9D:41:14:03:BA:83:24:AC:04:CE:BD:92:49:1B:8D:B2:A4:86:39:4C:BB
127.0.0.1:8200 7C:B3:3E:F9:98:43:5E:62:69:9F:A9:9D:41:14:03:BA:83:24:AC:04:CE:BD:92:49:1B:8D:B2:A4:86:39:4C:BB

Start Web3Signer and specify the location of the signing key configuration file.