Corda secrets

This page documents the secrets that are managed and required by a Corda installation. The secrets fall into two categories:

  • Cryptographic keys.
  • Passwords.

The relationships between the secrets and Corda components is shown in the following diagram.

Diagram showing the relationships between the secrets and components
Diagram showing the relationships between the secrets and components

Secrets managed by a Corda Node

SecretLocationPathProtectionAccessible byDescription
Node CA private keyDiskcertificates/nodekeystore.jksJKSNodeNode CA certificate issued by the Doorman (cordaclientca)
Legal Identity private keyDiskcertificates/nodekeystore.jksJKSNodeLegal identity used to sign transactions (identity-private-key)
TLS private keyDiskcertificates/sslkeystore.jksJKSNodeCertificate used for TLS communication (cordaclienttls)
Node CA private keyHSM---Node CA certificate issued by the Doorman
Legal Identity private keyHSM---Legal identity used to sign transactions
Confidential identityDBVault database (NODE_OUR_KEY_PAIRS)NodeConfidential Identity private keys, stored unencrypted
Node keystore passwordDisknode.confNode Password used to protect the integrity of the node keystore
TSL keystore passwordDisknode.confNode Password used to protect the integrity of the SSL keystore
Truststore passwordDisknode.confNodePassword used to protect the integrity of the trust store
HSM credentialsDiskhsm.confNodeCredentials for accessing the HSM, if configured.
Vault DB connectionDisknode.confNodeDatabase connection string that includes username & password
RPC credentials connectionDisknode.confNodeDatabase connections string for storing RPC credentials
RPC credentialsDBCreds databseSalted + Hashed (SHA256)NodeUsernames & salted (& hashed) passwords in external data store

Additional secrets managed by a Corda Notary

SecretLocationPathProtectionAccessible byDescription
Notary service keyDiskcertificates/nodekeystore.jksJKSNotaryNotary service identity issued by the Doorman (distributed-notary-private-key)

Secrets managed by the Corda Float & Bridge

SecretLocationPathDescription
TLS private keyDiskcertificates/sslkeystore.jksCertificate used for TLS communication
TLS keystore passwordDisknode.conf
Trust store passwordDisknode.confPassword used to protect the integrity of the trust store

Was this page helpful?

Thanks for your feedback!

Chat with us

Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.

Propose documentation improvements directly

Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.

We're sorry this page wasn't helpful. Let us know how we can make it better!

Chat with us

Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.

Create an issue

Create a new GitHub issue in this repository - submit technical feedback, draw attention to a potential documentation bug, or share ideas for improvement and general feedback.

Propose documentation improvements directly

Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.