Skip to content
You are reading Consensys Quorum Plugins development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Encrypted storage

Note

The encrypted storage plugin is available with a ConsenSys Quorum Support subscription.

The Encrypted Storage plugin encrypts a Hyperledger Besu node’s blockchain data at rest in a RocksDB database. Data is encrypted and decrypted using a 256-bit AES key that is stored locally or in HashiCorp Vault.

Enable the Encrypted Storage plugin on the command line using --key-value-storage=encrypted-storage.

Important

The option to use encryption at rest must be enabled when the blockchain database is created on the node. In other words, you cannot encrypt an existing unencrypted database.

The encryption key cannot be changed after the database is created.

We recommend that you use TLS for communication between Hyperledger Besu and HashiCorp Vault. Configure TLS in the file used to retrieve the encryption key.

Store encryption keys locally

The encryption key can be stored locally in a file. To configure encrypted storage using a local file, enable the Encrypted Storage plugin and set the location of the encryption key from the command line.

Store encryption keys in HashiCorp Vault

The encryption key can be stored in HashiCorp Vault as a hex string. Create a TOML configuration file to retrieve the encryption key and configure TLS between Hyperledger Besu and the HashiCorp Vault server.

To configure encrypted storage using HashiCorp Vault, enable the Encrypted Storage plugin and set the location of the configuration file from the command line.

ConsenSys has acquired Quorum from J.P. Morgan. Please read the FAQ.
Questions or feedback? You can obtain paid professional support by ConsenSys at quorum@consensys.net