Managing Ethereum Secrets with Hashicorp Vault
We use the Parity Ethereum client as part of our technology stack to create a blockchain-based full stack application that enables the MediLedger Product Verification Service (PVS). One challenge with any blockchain-based decentralized application is how private keys are stored. This earlier piece lists some considerations before choosing a key management option.
Unlike typical SaaS applications, in a blockchain-based application the user is completely responsible for their access to the network via their private key(s). There is no central administrator who can restore your access should you lose your private key. Hence it is extremely important to have a good key management strategy. There are multiple open source Ethereum projects such as ethereumjs-wallet and ruby-eth that can generate public-private key pairs for Ethereum accounts. While these applications work, they make it difficult to standardize key management practices across an organization. This is inherently insecure as the private key may be stored in plaintext on the machine where the tool is run, lost if the machine crashes or stolen by an attacker.
These tools work for dev or test environments but for a production environment a more robust solution is required, with some features particularly desirable:
1. The private key is not exposed by default
2. The private key will be stored in a safe manner
3. Access to the private key can be tightly controlled
4. Records of access to the private key are logged for auditing purposes
Hashicorp Vault and the Vault Ethereum plugin satisfy all of these requirements, and this blog post from Hashicorp describes how to use the system. Disclaimer: We do not officially recommend this system or have any business relationship with Hashicorp.
You first need to install Vault and then the Ethereum plugin on top of it. Installing these is not a trivial procedure and should be done carefully. Once installed, access policies should be defined based on the requirements of your IT organization and project team.
Once setup you can generate keys using the procedure defined here. You can also export private keys if desired to use in another system using these instructions.
In our application setup, we generate public private keypairs using the Vault Ethereum plugin and plug in the generated account address. The user doesn’t need to provide the private key. There are policies defined around who has access to private keys.
Securely storing private keys for any blockchain based application is as critical (if not more) than the application itself. We have found that using the Vault Ethereum plugin has worked for us and we encourage our customers and everyone in this community to always use any suitable key management system to avoid losing your access to the network.
