Skip to main content

Using EthSigner with HashiCorp Vault

EthSigner supports storing the signing key in HashiCorp Vault.

This example uses a HashiCorp development server without TLS and disables TLS when starting EthSigner. TLS is enabled by default between EthSigner and HashiCorp Vault and must be configured when not explicitly disabled.


We do not recommended disabling TLS in production environments.

Storing private key in HashiCorp Vault

After installing HashiCorp Vault and starting the server:

  1. Set the VAULT_ADDR environment variable using the command displayed after starting the server:

    export VAULT_ADDR=''
  2. Save the root token displayed after starting the server in a file called authFile.

  3. Put your signing key into the HashiCorp Vault:

vault kv put secret/ethsignerSigningKey value=<Private Key without 0x prefix>

The private key is stored in the default location for EthSigner. The key must be a base 64 encoded private key for ECDSA for curve secp256k1.

Start Besu

Start Besu with the --rpc-http-port option set to 8590 to avoid conflict with the default EthSigner listening port (8545).

besu --network=dev --miner-enabled --miner-coinbase=0xfe3b557e8fb62b89f4916b721be55ceb828dbd73 --rpc-http-cors-origins="all" --host-allowlist=* --rpc-http-enabled --rpc-http-port=8590 --data-path=/tmp/tmpDatadir

EthSigner requires a chain ID to be used when signing transactions. The downstream Ethereum client must be operating in a milestone supporting replay protection. That is, the genesis file must include at least the Spurious Dragon milestone (defined as eip158Block in the genesis file) so the blockchain is using a chain ID.

Start EthSigner with HashiCorp Vault signing

Start EthSigner.

ethsigner --chain-id=2018 --downstream-http-port=8590 hashicorp-signer --host= --port=8200 --auth-file=authFile --tls-enabled=false --signing-key-path=/v1/secret/data/ethsignerSigningKey

The path to the key in the HashiCorp Vault specified by --signing-key-path is prefixed by the key version and includes data. For example, if the following command is used put the key into the Vault: vault kv put secret/ethsignerSigningKey value=<Private Key>

The path specified for --signing-key-path is /v1/secret/data/ethsignerSigningKey


Use the --http-listen-port option to change the EthSigner listening port if 8545 is in use.

You can now use EthSigner to sign transactions with the key stored in the HashiCorp Vault.