Encrypted storage

PegaSys Plus provides the Encrypted Storage plugin to encrypt a node’s blockchain data at rest in a RocksDB database. Data is encrypted and decrypted using a 256-bit AES key that is stored locally or in Hashicorp Vault.

The Encrypted Storage plugin must be enabled on the command line using --key-value-storage=encrypted-storage.

Important

The option to use encryption at rest must be enabled when the blockchain database is created on the node. In other words, you cannot encrypt an existing unencrypted database.

The encryption key cannot be changed after the database is created.

We recommend that you use TLS for communication between PegaSys Plus and Hashicorp Vault. Configure TLS in the file used to retrieve the encryption key.

Store encryption keys locally

The encryption key can be stored locally in a file. To configure encrypted storage using a local file, enable the Encrypted Storage plugin and set the location of the encryption key from the command line.

Store encryption keys in Hashicorp Vault

The encryption key can be stored in Hashicorp Vault as a hex string. Create a TOML configuration file to retrieve the encryption key and configure TLS between PegaSys Plus and the Hashicorp Vault server.

To configure encrypted storage using Hashicorp Vault, enable the Encrypted Storage plugin and set the location of the configuration file from the command line.