Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ConsenSys/quorum-signer-plugin-for-hashicorp-vault
A secret engine plugin for Hashicorp Vault that stores quorum accounts and uses them to sign data
https://github.com/ConsenSys/quorum-signer-plugin-for-hashicorp-vault
protocols-team-goquorum
Last synced: 3 months ago
JSON representation
A secret engine plugin for Hashicorp Vault that stores quorum accounts and uses them to sign data
- Host: GitHub
- URL: https://github.com/ConsenSys/quorum-signer-plugin-for-hashicorp-vault
- Owner: Consensys
- License: apache-2.0
- Created: 2020-08-16T08:58:55.000Z (about 4 years ago)
- Default Branch: master
- Last Pushed: 2024-06-05T02:17:01.000Z (5 months ago)
- Last Synced: 2024-06-19T11:33:13.582Z (5 months ago)
- Topics: protocols-team-goquorum
- Language: Go
- Homepage:
- Size: 59.6 KB
- Stars: 4
- Watchers: 5
- Forks: 7
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-quorum - Quorum Signer Hashicorp - Custom plugin backend for Hashicorp Vault adding a new `quorum-signer` secret-engine to Hashicorp Vault (Software components / Private Key Manager)
README
# Quorum Signer plugin for Hashicorp Vault
The Quorum Signer plugin is a [custom plugin backend for Hashicorp Vault](https://www.vaultproject.io/docs/plugin) that adds a new `quorum-signer` secret-engine type to Hashicorp Vault.
The `quorum-signer` secret-engine creates and stores Quorum accounts that can be used to sign data.
When used in conjunction with the [Hashicorp Vault plugin for Quorum](https://github.com/ConsenSys/quorum-account-plugin-hashicorp-vault), Quorum can sign transactions and data as normal, with the added security benefit that account private keys never leave the boundaries of Vault and never have to be directly managed.
## Building
```shell
make
```## Quickstart
> This quickstart uses the `vault` dev server. The dev server is quick and easy to set up but should not be used for production.
>
> The dev server does **not**:
> * persist data between restarts
> * encrypt HTTP communications with TLS
>
> For more advanced Vault topics (such as configuring storage, TLS, and approle token renewal) see the [Vault docs](https://www.vaultproject.io/docs).```shell
make
```
```shell
vault server -dev -dev-root-token-id=root \
-dev-plugin-dir=/path/to/quorum-signer-plugin-for-hashicorp-vault/build
```The output should include something similar to the following to indicate the plugin is available:
```shell
The following dev plugins are registered in the catalog:
- quorum-signer-
```In another terminal:
```shell
export VAULT_ADDR=http://localhost:8200
export VAULT_TOKEN=root
vault secrets enable -path quorum-signer quorum-signer-
```The `quorum-signer` secret-engine will now be available for use.
### Vault non-dev mode
Using plugins with a non-dev mode Vault server requires additional Vault configuration and for the plugin to be registered before it can be used. See [Plugin Registration](https://www.vaultproject.io/docs/internals/plugins#plugin-registration) for more info.
1. Add `plugin_directory` and `api_addr` fields to `config.hcl`, e.g.:
```
plugin_directory = "path/to/quorum-signer-plugin-for-hashicorp-vault/build"
api_addr = "https//localhost:8200"
```
1. Register the plugin in Vault
```shell
vault write sys/plugins/catalog/secret/quorum-signer- \
sha256= \
command="quorum-signer- --ca-cert= --client-cert= --client-key="
```
* ``: Hash of plugin binary (e.g. from `shasum -a 256 /hashicorp-vault-signing-plugin/build/quorum-signer-`)
* ``, ``, ``: The plugin acts as a client to the Vault server. If TLS is configured on the Vault server then the paths to the necessary client TLS certs must be provided## API
The `quorum-signer` secret-engine stores accounts with a user-defined `acctID` (e.g. `myAcct`). Interacting with accounts is made possible through the plugin's API.### List acctIDs
```shell
vault list quorum-signer/accountsKeys
----
myAcct
otherAcct
```### Create new account
> Note: Overwriting existing secrets (i.e. using the same `acctID` is not supported)```shell
vault write -f quorum-signer/accounts/Key Value
--- -----
addr 874f98d93427b145fcf1bb2c34f733f6c14597df
```### Import existing account
> Note: Overwriting existing secrets (i.e. using the same `acctID` is not supported)```shell
vault write quorum-signer/accounts/ import=1fe8f1ad4053326db20529257ac9401f2e6c769ef1d736b8c2f5aba5f787c72bKey Value
--- -----
addr 6038dc01869425004ca0b8370f6c81cf464213b3
```* `import`: hex-encoded private key
### Get public account data
```shell
vault read quorum-signer/accounts/Key Value
--- -----
addr 874f98d93427b145fcf1bb2c34f733f6c14597df
```### Sign data with an account
> Note: The `quorum-signer` is a "dumb" signer - it simply signs the provided data with the specified account. Quorum data is prefixed and hashed before it is signed (e.g. [EIP-191](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-191.md)). The `quorum-signer` expects any data to have already been prefixed and hashed.
>
> This is handled automatically when using `quorum-signer` in conjunction with the [Hashicorp Vault plugin for Quorum](https://github.com/ConsenSys/quorum-account-plugin-hashicorp-vault).```shell
vault read quorum-signer/sign/ sign=bc4c915d69896b198f0292a72373a2bdcd0d52bccbfcec11d9c84c0fff71b0bcKey Value
--- -----
sig 01b4402e23ae8cbff32e708ab485f8e708ccd8b47707b91fad42a5b6353b31ba02579620df93c1a6a189303fcf7a8095eb9c24a7bbc0039ab34e7df7bb6f3b5a01
```* `sign`: hex-encoded data (prefixed and hashed) to be signed
## Further reading
* [Hashicorp Vault's plugin system](https://www.vaultproject.io/docs/internals/plugins)