Corda secrets
This page documents the secrets that are managed and required by a Corda installation. The secrets fall into two categories:
- Cryptographic keys.
- Passwords.
The relationships between the secrets and Corda components is shown in the following diagram.
Node
Secrets managed by a Corda Node
| Secret | Location | Path | Protection | Accessible by | Description |
|---|---|---|---|---|---|
| Node CA private key | Disk | certificates/nodekeystore.jks | JKS | Node | Node CA certificate issued by the Doorman (cordaclientca) |
| Legal Identity private key | Disk | certificates/nodekeystore.jks | JKS | Node | Legal identity used to sign transactions (identity-private-key) |
| TLS private key | Disk | certificates/sslkeystore.jks | JKS | Node | Certificate used for TLS communication (cordaclienttls) |
| Node CA private key | HSM | - | - | - | Node CA certificate issued by the Doorman |
| Legal Identity private key | HSM | - | - | - | Legal identity used to sign transactions |
| Confidential identity | DB | Vault database (NODE_OUR_KEY_PAIRS) | Node | Confidential Identity private keys, stored unencrypted | |
| Node keystore password | Disk | node.conf | Node Password used to protect the integrity of the node keystore | ||
| TSL keystore password | Disk | node.conf | Node Password used to protect the integrity of the SSL keystore | ||
| Truststore password | Disk | node.conf | Node | Password used to protect the integrity of the trust store | |
| HSM credentials | Disk | hsm.conf | Node | Credentials for accessing the HSM, if configured. | |
| Vault DB connection | Disk | node.conf | Node | Database connection string that includes username & password | |
| RPC credentials connection | Disk | node.conf | Node | Database connections string for storing RPC credentials | |
| RPC credentials | DB | Creds databse | Salted + Hashed (SHA256) | Node | Usernames & salted (& hashed) passwords in external data store |
Notary
Additional secrets managed by a Corda Notary
| Secret | Location | Path | Protection | Accessible by | Description |
|---|---|---|---|---|---|
| Notary service key | Disk | certificates/nodekeystore.jks | JKS | Notary | Notary service identity issued by the Doorman (distributed-notary-private-key) |
Float & Bridge
Secrets managed by the Corda Float & Bridge
| Secret | Location | Path | Description |
|---|---|---|---|
| TLS private key | Disk | certificates/sslkeystore.jks | Certificate used for TLS communication |
| TLS keystore password | Disk | node.conf | |
| Trust store password | Disk | node.conf | Password used to protect the integrity of the trust store |
Was this page helpful?
Thanks for your feedback!
Chat with us
Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.
Propose documentation improvements directly
Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.
We're sorry this page wasn't helpful. Let us know how we can make it better!
Chat with us
Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.
Create an issue
Create a new GitHub issue in this repository - submit technical feedback, draw attention to a potential documentation bug, or share ideas for improvement and general feedback.
Propose documentation improvements directly
Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.