Skip to main content

HashiCorp Vault

The Operator supports loading signing keys from a remote HashiCorp Vault ↗ instance, avoiding storage of keystores on the filesystem. This approach is best suited for node operators who already have most of StakeWise Operator functionality implemented in their systems, and only need integration for validators registration and withdrawals.

IconAdvanced Users Only

Regular users should only employ this functionality on their own risk, if they already manage a deployment of HashiCorp Vault.

Prerequisites

Complete the following steps before proceeding:

IconRequired Setup Steps
  1. Installation → completed
  2. Validators Manager → set
  3. Validator keys stored in your HashiCorp Vault ↗ instance

Key Storage Format

The user must provide HashiCorp Vault instance URL, authentication token, and secret path in K/V engine.

Internal structure of the secret must resemble the following JSON format:

{
"pubkey1": "privkey1",
"pubkey2": "privkey2",
...
}

Public and private signing keys must be stored in hex form, with or without 0x prefix.

After loading keys from HashiCorp Vault, the operator behaves in the same way as if it had loaded them from keystores, no additional operations needed to support the integration.

Start Operator Service

Passing following options to start-hashi-vault command will enable loading validator signing keys from remote HashiCorp Vault ↗.

./operator start-hashi-vault \
--vault=0x834F27bC8670491b75af512d943f01D5383F87Cf \
--consensus-endpoints=https://consensus-node \
--execution-endpoints=https://execution-node \
--hashi-vault-key-path=keystores1 \
--hashi-vault-key-path=keystores2 \
--hashi-vault-token=hvs.abcde \
--hashi-vault-url=https://hashi-vault:8200

Configuration Options

  • --hashi-vault-url - The base URL of the vault service, e.g. http://vault:8200.
  • --hashi-vault-token - Authentication token for accessing Hashi vault.
  • --hashi-vault-key-path - Key path(s) in the K/V secret engine where validator signing keys are stored. This flag can be repeated multiple times to specify multiple paths
  • --hashi-vault-key-prefix - Key prefix(es) in the K/V secret engine under which validator signing keys are stored. This flag can be repeated multiple times to specify multiple prefixes
  • --hashi-vault-parallelism - How much requests to K/V secrets engine to do in parallel
IconAdditional Configuration

This setup supports various optional flags to provide more flexibility and customization. See all available options in the Start Operator → setup.