Encrypted storage
The encrypted storage plugin is available with a ConsenSys Quorum Support subscription.
The encrypted storage plugin encrypts a Hyperledger Besu node's blockchain data at rest in a RocksDB database. Data is encrypted and decrypted using a 256-bit AES key that is stored locally or in HashiCorp Vault.
Enable the encrypted storage plugin on the command line using --key-value-storage=encrypted-storage.
The option to use encryption at rest must be enabled when the blockchain database is created on the node. In other words, you cannot encrypt an existing unencrypted database.
The encryption key cannot be changed after the database is created.
We recommend that you use TLS for communication between Hyperledger Besu and HashiCorp Vault. Configure TLS in the file used to retrieve the encryption key.
Store encryption keys locally
The encryption key can be stored locally in a file. To configure encrypted storage using a local file, enable the encrypted storage plugin and set the location of the encryption key from the command line.
Store encryption keys in HashiCorp Vault
The encryption key can be stored in HashiCorp Vault as a hex string. Create a TOML configuration file to retrieve the encryption key and configure TLS between Hyperledger Besu and the HashiCorp Vault server.
To configure encrypted storage using HashiCorp Vault, enable the encrypted storage plugin and set the location of the configuration file from the command line.