Configure Encrypted Storage

Encrypt data at rest with the Encrypted Storage plugin and a 256-bit AES encryption key. Store the encryption key locally or in Hashicorp Vault.

TLS is enabled by default for communication between PegaSys Plus and Hashicorp Vault. Configure TLS in the file used to retrieve the encryption key.

Important

The Encrypted Storage plugin must be enabled when the node is started for the first time and the blockchain database is created. In other words, you cannot encrypt an existing unencrypted database.

The encryption key cannot be changed after the database is created.

Using a Locally Stored Encryption Key

Generate the encryption key before configuring encryption. In this example an encrypted key file is created using the openssl rand -out /myNode/encryptionKey 32 command.

Configure encrypted storage using a locally stored encryption key by enabling the Encrypted Storage plugin and setting the appropriate options.

Example

besu --key-value-storage=encrypted-storage --plugin-encrypted-storage-key=/myNode/encryptionKey

The command line:

Using an Encryption Key Stored in Hashicorp Vault

Prerequisites:

  • Hashicorp server must be running
  • Encryption key must be written to Hashicorp Vault as a hex string.
  • Hashicorp Vault server certificate authority (CA) certificates. Supported truststore types include PEM, PKCS12, and JKS.

Create the TOML configuration file to obtain the encryption key from Hashicorp Vault and configure TLS. In this example the configuration file is named /myNode/config.toml:

hashicorp.serverHost="localhost"
hashicorp.serverPort=8200
hashicorp.token="s.Ewt5ZAmkY2T9JoF9YJ1g0toy"
hashicorp.keyPath="/v1/secret/data/DBEncryptionKey"
hashicorp.timeout=30
hashicorp.tlsEnable=true
hashicorp.tlsVerifyHost=true
hashicorp.tlsTrustStoreType="PEM"
hashicorp.tlsTrustStorePath="/myNode/vault/ssl/vault.crt"

Configure encrypted storage by enabling the Encrypted Storage plugin and setting the appropriate options.

Example

besu --key-value-storage=encrypted-storage --plugin-encrypted-storage-hashicorp-config=/myNode/config.toml

The command line: