Skip to main content

Multikey parameters

The optional [metadata] section in the TOML files contains data that is not required by EthSigner. The [signing] section contains the parameters required for the signing type.


All parameters in the [signing] section are mandatory.

File-based signing

createdAt = 1994-11-05T08:15:30-05:00
description = "Example of a File based configuration"

type = "file-based-signer"
key-file = "/Users/me/project/78e6e236592597c09d5c137c2af40aecd42d12a2.key"
password-file = "/Users/me/project/78e6e236592597c09d5c137c2af40aecd42d12a2.password"

EthSigner supports absolute paths or relative paths when specifying key-file and password-file. Relative paths are relative to the directory specified in the multikey-signer --directory subcommand.

typeType of key signing. Use file-based-signer
key-fileV3 keystore file containing the key with which transactions are signed
password-fileFile containing the password for the key with which transactions are signed.

HashiCorp Vault signing

createdAt = 2019-07-01T12:11:30Z
description = "Example of a valid HashiCorp based configuration"

type = "hashicorp-signer"
keyPath = "/v1/secret/data/ethsignerKey"
keyName = "value"
token = "root_token"
serverHost = "localhost"
serverPort = 8200
timeout = 5000
tlsEnable = true
tlsTrustStoreType = "ALLOWLIST"
tlsTrustStorePath = "/Users/me/project/knownHashicorpServers"

The value of keyPath is dependent on how HashiCorp Vault secret engine is configured. It's usually in the format of /v1/<secret-engine-name>/data/<secret-path>. For example, in HashiCorp Vault dev mode, a default secret engine with name secret is created. Creating a path EthSignerKeys in secret would result in the keyPath value to be /v1/secret/data/EthSignerKeys.

typeType of key signing. Use hashicorp-signer
keyPathPath to secret in the HashiCorp Vault containing the private key for signing transactions.
keyNameName of the key that maps to the private key in the secret. Defaults to value.
tokenHashiCorp Vault authentication token that is required to access the secret defined by the keyPath.
serverHostHost of the HashiCorp Vault server.
serverPortPort of the HashiCorp Vault server. Defaults to 8200.
timeoutTimeout in milliseconds for requests to the HashiCorp Vault server. Defaults to 10000.
tlsEnableEnable/Disable TLS communication with HashiCorp Vault server. Defaults to true.
tlsTrustStoreTypeThe type of Truststore that stores HashiCorp Vault server TLS certificate. Valid values are ALLOWLIST, JKS, PKCS12 and PEM. Can be omitted if HashiCorp server's CA is already trusted.
tlsTrustStorePathPath to the Truststore file. Required when tlsTrustStoreType is specified. See example of how to create an ALLOWLIST Truststore file.
tlsTrustStorePasswordPassword to decrypt truststore file. Only required for JKS and PKCS12 truststore types.

Azure Key Vault signing

createdAt = 2011-11-01T12:15:30Z
description = "Example of an Azure Key Vault based configuration"

type = "azure-signer"
key-vault-name = "AzureKeyVault"
key-name = "ethsignerKey"
key-version = "7c01fe58d68148bba5824ce418241092"
client-id = "47efee5c-8079-4b48-31bb4f2e9a22"
client-secret = "TW_3Uc/HLPdpLp5*om@MGcd1T29MuP*5"
tenant-id = "34255fb0-379b-4a1a-bd47-d211ab86df81"
typeType of key signing. Use azure-signer
key-vault-nameName of the vault to access. Sub-domain of
key-nameName of key to be used
key-versionVersion of the specified key
client-idID used to authenticate with Azure Key Vault
client-secretSecret used to access the vault
tenant-idThe tenant ID used to authenticate with Azure Key Vault.