Corda secrets

This page documents the secrets that are managed and required by a Corda installation. The secrets fall into two categories:

  • Cryptographic keys.
  • Passwords.

The relationships between the secrets and Corda components is shown in the following diagram.

Diagram showing the relationships between the secrets and components

Node

Secrets managed by a Corda Node

Secret Location Path Protection Accessible by Description
Node CA private key Disk certificates/nodekeystore.jks JKS Node Node CA certificate issued by the Doorman (cordaclientca)
Legal Identity private key Disk certificates/nodekeystore.jks JKS Node Legal identity used to sign transactions (identity-private-key)
TLS private key Disk certificates/sslkeystore.jks JKS Node Certificate used for TLS communication (cordaclienttls)
Node CA private key HSM - - - Node CA certificate issued by the Doorman
Legal Identity private key HSM - - - Legal identity used to sign transactions
Confidential identity DB Vault database (NODE_OUR_KEY_PAIRS) Node Confidential Identity private keys, stored unencrypted
Node keystore password Disk node.conf Node Password used to protect the integrity of the node keystore
TSL keystore password Disk node.conf Node Password used to protect the integrity of the SSL keystore
Truststore password Disk node.conf Node Password used to protect the integrity of the trust store
HSM credentials Disk hsm.conf Node Credentials for accessing the HSM, if configured.
Vault DB connection Disk node.conf Node Database connection string that includes username & password
RPC credentials connection Disk node.conf Node Database connections string for storing RPC credentials
RPC credentials DB Creds databse Salted + Hashed (SHA256) Node Usernames & salted (& hashed) passwords in external data store

Notary

Additional secrets managed by a Corda Notary

Secret Location Path Protection Accessible by Description
Notary service key Disk certificates/nodekeystore.jks JKS Notary Notary service identity issued by the Doorman (distributed-notary-private-key)

Float & Bridge

Secrets managed by the Corda Float & Bridge

Secret Location Path Description
TLS private key Disk certificates/sslkeystore.jks Certificate used for TLS communication
TLS keystore password Disk node.conf
Trust store password Disk node.conf Password used to protect the integrity of the trust store

Was this page helpful?

Thanks for your feedback!

Chat with us

Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.

Propose documentation improvements directly

Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.

We're sorry this page wasn't helpful. Let us know how we can make it better!

Chat with us

Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.

Create an issue

Create a new GitHub issue in this repository - submit technical feedback, draw attention to a potential documentation bug, or share ideas for improvement and general feedback.

Propose documentation improvements directly

Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.