Skip to content
You are reading Codefi Orchestrate development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Connect HashiCorp Vault

Codefi Orchestrate supports HashiCorp Vault to secure secret information such as Ethereum accounts (private cryptographic keys).

Important

Codefi Orchestrate uses a custom HashiCorp Vault plugin that must be installed along with HashiCorp Vault. Please follow the README of the project for more information on how to install it.

Follow these steps to configure HashiCorp Vault when starting the Key Manager service.

Tip

Configure each microservice using microservice-specific environment variables. Command line options are also available and take precedence over environment variables.

Configuration

Environment Variable Command line option Description Default
KEY_MANAGER_TYPE key-manager-type Type of Key Manager Vault (only hashicorp-vault is currently supported) hashicorp-vault
VAULT_ADDR vault-addr URL of the HashiCorp Vault server https://127.0.0.1:8200
VAULT_MOUNT_POINT vault-mount-point Mount endpoint of the Orchestrate secret engine (plugin) orchestrate
VAULT_TOKEN_FILE vault-token-file Token file path /vault/token/.vault-token
VAULT_RATE_LIMIT vault-rate-limit HashiCorp Vault rate limit in “operations per second). 0 means unlimited 0.0
VAULT_BURST_LIMIT vault-burst-limit HashiCorp Vault bust rate in “operations per second). 0 means unlimited 0
VAULT_CLIENT_TIMEOUT vault-client-timeout Client timeout 60s
VAULT_MAX_RETRIES vault-max-retries Maximum number of retries when a 5xx error code is encountered 0
VAULT_ADDR vault-addr URL of the HashiCorp Vault server https://127.0.0.1:8200

SSL/TLS Configuration

In addition to the options above, follow these steps to configure HashiCorp Vault over TLS communication.

Environment Variable Command line option Description Default
VAULT_CACERT vault-cacert TLS Certificate Authority
VAULT_CAPATH vault-capath Path of the Certificate Authority file
VAULT_CLIENT_CERT vault-client-cert TLS certificate of the client
VAULT_CLIENT_KEY vault-client-key TLS key of the client
VAULT_TLS_SERVER_NAME vault-tls-server-name TLS Server name
VAULT_SKIP_VERIFY vault-skip-verify Whether or not to skip server’s certificate verification false

When using TLS communication in production, it is not recommended to set vault-skip-verify to true as that will open a breach to man-in-the-middle attacks.

Tip

Follow our Deploying Orchestrate in production tutorial for more information on how to deploy HashiCorp Vault in a production environment using Kubernetes and TLS certificates.

ConsenSys has acquired Quorum from J.P. Morgan. Please read the FAQ.
Questions or feedback? You can obtain paid professional support by Consensys at orchestrate@consensys.net