Corda secrets

This page documents the secrets that are managed and required by a Corda installation. The secrets fall into two categories:

  • Cryptogtaphic keys.
  • Passwords.

The relationships between the secrets and Corda components is shown in the following diagram.

Diagram showing the relationships between the secrets and components

Node

Secrets managed by a Corda Node

SecretLocationPathProtectionAccessible byDescription
Node CA private keyDiskcertificates/nodekeystore.jksJKSNodeNode CA certificate issued by the Doorman (cordaclientca)
Legal Identity private keyDiskcertificates/nodekeystore.jksJKSNodeLegal identity used to sign transactions (identity-private-key)
TLS private keyDiskcertificates/sslkeystore.jksJKSNodeCertificate used for TLS communication (cordaclienttls)
Node CA private keyHSM---Node CA certificate issued by the Doorman
Legal Identity private keyHSM---Legal identity used to sign transactions
Confidential identityDBVault database (NODE_OUR_KEY_PAIRS)NodeConfidential Identity private keys, stored unencrypted
Node keystore passwordDisknode.confNode Password used to protect the integrity of the node keystore
TSL keystore passwordDisknode.confNode Password used to protect the integrity of the SSL keystore
Truststore passwordDisknode.confNodePassword used to protect the integrity of the trust store
HSM credentialsDiskhsm.confNodeCredentials for accessing the HSM, if configured.
Vault DB connectionDisknode.confNodeDatabase connection string that includes username & password
RPC credentials connectionDisknode.confNodeDatabase connections string for storing RPC credentials
RPC credentialsDBCreds databseSalted + Hashed (SHA256)NodeUsernames & salted (& hashed) passwords in external data store

Notary

Additional secrets managed by a Corda Notary

SecretLocationPathProtectionAccessible byDescription
Notary service keyDiskcertificates/nodekeystore.jksJKSNotaryNotary service identity issued by the Doorman (distributed-notary-private-key)

Float & Bridge

Secrets managed by the Corda Float & Bridge

SecretLocationPathDescription
TLS private keyDiskcertificates/sslkeystore.jksCertificate used for TLS communication
TLS keystore passwordDisknode.conf
Trust store passwordDisknode.confPassword used to protect the integrity of the trust store