Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/ConsenSys/quorum-signer-plugin-for-hashicorp-vault

A secret engine plugin for Hashicorp Vault that stores quorum accounts and uses them to sign data
https://github.com/ConsenSys/quorum-signer-plugin-for-hashicorp-vault

protocols-team-goquorum

Last synced: about 2 months ago
JSON representation

A secret engine plugin for Hashicorp Vault that stores quorum accounts and uses them to sign data

Host: GitHub
URL: https://github.com/ConsenSys/quorum-signer-plugin-for-hashicorp-vault
Owner: Consensys
License: apache-2.0
Created: 2020-08-16T08:58:55.000Z (almost 4 years ago)
Default Branch: master
Last Pushed: 2023-04-10T13:30:18.000Z (about 1 year ago)
Last Synced: 2024-04-04T13:01:22.212Z (3 months ago)
Topics: protocols-team-goquorum
Language: Go
Homepage:
Size: 59.6 KB
Stars: 4
Watchers: 5
Forks: 7
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE

Lists

awesome-quorum - Quorum Signer Hashicorp - Custom plugin backend for Hashicorp Vault adding a new `quorum-signer` secret-engine to Hashicorp Vault (Software components / Private Key Manager)

README

        # Quorum Signer plugin for Hashicorp Vault

The Quorum Signer plugin is a [custom plugin backend for Hashicorp Vault](https://www.vaultproject.io/docs/plugin) that adds a new `quorum-signer` secret-engine type to Hashicorp Vault.  

The `quorum-signer` secret-engine creates and stores Quorum accounts that can be used to sign data.

When used in conjunction with the [Hashicorp Vault plugin for Quorum](https://github.com/ConsenSys/quorum-account-plugin-hashicorp-vault), Quorum can sign transactions and data as normal, with the added security benefit that account private keys never leave the boundaries of Vault and never have to be directly managed.

## Building

```shell

make

```

## Quickstart 

> This quickstart uses the `vault` dev server.  The dev server is quick and easy to set up but should not be used for production.

>   

> The dev server does **not**:

>    * persist data between restarts

>    * encrypt HTTP communications with TLS  

>    

>    For more advanced Vault topics (such as configuring storage, TLS, and approle token renewal) see the [Vault docs](https://www.vaultproject.io/docs).

```shell

make

```

```shell

vault server -dev -dev-root-token-id=root \

    -dev-plugin-dir=/path/to/quorum-signer-plugin-for-hashicorp-vault/build

``` 

The output should include something similar to the following to indicate the plugin is available:

```shell

The following dev plugins are registered in the catalog:

    - quorum-signer-

```

In another terminal:

```shell

export VAULT_ADDR=http://localhost:8200

export VAULT_TOKEN=root

vault secrets enable -path quorum-signer quorum-signer-

```

The `quorum-signer` secret-engine will now be available for use. 

### Vault non-dev mode

Using plugins with a non-dev mode Vault server requires additional Vault configuration and for the plugin to be registered before it can be used.  See [Plugin Registration](https://www.vaultproject.io/docs/internals/plugins#plugin-registration) for more info.

1. Add `plugin_directory` and `api_addr` fields to `config.hcl`, e.g.: 

    ```

    plugin_directory = "path/to/quorum-signer-plugin-for-hashicorp-vault/build"

    api_addr = "https//localhost:8200"

    ``` 

1. Register the plugin in Vault

    ```shell

    vault write sys/plugins/catalog/secret/quorum-signer- \

        sha256= \

        command="quorum-signer- --ca-cert= --client-cert= --client-key="

    ```

   * ``: Hash of plugin binary (e.g. from `shasum -a 256 /hashicorp-vault-signing-plugin/build/quorum-signer-`)

   * ``, ``, ``: The plugin acts as a client to the Vault server.  If TLS is configured on the Vault server then the paths to the necessary client TLS certs must be provided

## API

The `quorum-signer` secret-engine stores accounts with a user-defined `acctID` (e.g. `myAcct`).  Interacting with accounts is made possible through the plugin's API.

### List acctIDs

```shell

vault list quorum-signer/accounts

Keys

----

myAcct

otherAcct

```

### Create new account

> Note: Overwriting existing secrets (i.e. using the same `acctID` is not supported)

```shell

vault write -f quorum-signer/accounts/

Key     Value

---     -----

addr    874f98d93427b145fcf1bb2c34f733f6c14597df 

```

### Import existing account

> Note: Overwriting existing secrets (i.e. using the same `acctID` is not supported)

```shell

vault write quorum-signer/accounts/ import=1fe8f1ad4053326db20529257ac9401f2e6c769ef1d736b8c2f5aba5f787c72b

Key     Value

---     -----

addr    6038dc01869425004ca0b8370f6c81cf464213b3 

```

* `import`: hex-encoded private key

### Get public account data

```shell

vault read quorum-signer/accounts/

Key     Value

---     -----

addr    874f98d93427b145fcf1bb2c34f733f6c14597df

```

### Sign data with an account

> Note: The `quorum-signer` is a "dumb" signer - it simply signs the provided data with the specified account.  Quorum data is prefixed and hashed before it is signed (e.g. [EIP-191](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-191.md)).  The `quorum-signer` expects any data to have already been prefixed and hashed.  

>

> This is handled automatically when using `quorum-signer` in conjunction with the [Hashicorp Vault plugin for Quorum](https://github.com/ConsenSys/quorum-account-plugin-hashicorp-vault).

```shell

vault read quorum-signer/sign/ sign=bc4c915d69896b198f0292a72373a2bdcd0d52bccbfcec11d9c84c0fff71b0bc

Key    Value

---    -----

sig    01b4402e23ae8cbff32e708ab485f8e708ccd8b47707b91fad42a5b6353b31ba02579620df93c1a6a189303fcf7a8095eb9c24a7bbc0039ab34e7df7bb6f3b5a01

```

* `sign`: hex-encoded data (prefixed and hashed) to be signed

## Further reading

* [Hashicorp Vault's plugin system](https://www.vaultproject.io/docs/internals/plugins)