Configure Encrypted Storage
Encrypt data at rest with the Encrypted Storage plugin and a 256-bit AES encryption key. Store the encryption key locally or in Hashicorp Vault.
TLS is enabled by default for communication between PegaSys Plus and Hashicorp Vault. Configure TLS in the file used to retrieve the encryption key.
The Encrypted Storage plugin must be enabled when the node is started for the first time and the blockchain database is created. In other words, you cannot encrypt an existing unencrypted database.
The encryption key cannot be changed after the database is created.
Using a Locally Stored Encryption Key
Generate the encryption key before configuring encryption. In this example an encrypted key file is created using the
openssl rand -out /myNode/encryptionKey 32 command.
Configure encrypted storage using a locally stored encryption key by enabling the Encrypted Storage plugin and setting the appropriate options.
besu --key-value-storage=encrypted-storage --plugin-encrypted-storage-key=/myNode/encryptionKey
The command line:
- Enables the Encrypted Storage plugin using the
- Specifies the location of the encryption key using the
Using an Encryption Key Stored in Hashicorp Vault
- Hashicorp server must be running
- Encryption key must be written to Hashicorp Vault as a hex string.
- Hashicorp Vault server certificate authority (CA) certificates. Supported truststore types include PEM, PKCS12, and JKS.
Create the TOML configuration file to obtain the encryption key from Hashicorp Vault and configure TLS. In this example the configuration file is named
hashicorp.serverHost="localhost" hashicorp.serverPort=8200 hashicorp.token="s.Ewt5ZAmkY2T9JoF9YJ1g0toy" hashicorp.keyPath="/v1/secret/data/DBEncryptionKey" hashicorp.timeout=30 hashicorp.tlsEnable=true hashicorp.tlsVerifyHost=true hashicorp.tlsTrustStoreType="PEM" hashicorp.tlsTrustStorePath="/myNode/vault/ssl/vault.crt"
Configure encrypted storage by enabling the Encrypted Storage plugin and setting the appropriate options.
besu --key-value-storage=encrypted-storage --plugin-encrypted-storage-hashicorp-config=/myNode/config.toml
The command line: