Corda secrets
This page documents the secrets that are managed and required by a Corda installation. The secrets fall into two categories:
- Cryptographic keys.
- Passwords.
The relationships between the secrets and Corda components is shown in the following diagram.

Node
Secrets managed by a Corda Node
Secret | Location | Path | Protection | Accessible by | Description |
---|---|---|---|---|---|
Node CA private key | Disk | certificates/nodekeystore.jks | JKS | Node | Node CA certificate issued by the Doorman (cordaclientca ) |
Legal Identity private key | Disk | certificates/nodekeystore.jks | JKS | Node | Legal identity used to sign transactions (identity-private-key ) |
TLS private key | Disk | certificates/sslkeystore.jks | JKS | Node | Certificate used for TLS communication (cordaclienttls ) |
Node CA private key | HSM | - | - | - | Node CA certificate issued by the Doorman |
Legal Identity private key | HSM | - | - | - | Legal identity used to sign transactions |
Confidential identity | DB | Vault database (NODE_OUR_KEY_PAIRS ) | Node | Confidential Identity private keys, stored unencrypted | |
Node keystore password | Disk | node.conf | Node Password used to protect the integrity of the node keystore | ||
TSL keystore password | Disk | node.conf | Node Password used to protect the integrity of the SSL keystore | ||
Truststore password | Disk | node.conf | Node | Password used to protect the integrity of the trust store | |
HSM credentials | Disk | hsm.conf | Node | Credentials for accessing the HSM, if configured. | |
Vault DB connection | Disk | node.conf | Node | Database connection string that includes username & password | |
RPC credentials connection | Disk | node.conf | Node | Database connections string for storing RPC credentials | |
RPC credentials | DB | Creds databse | Salted + Hashed (SHA256) | Node | Usernames & salted (& hashed) passwords in external data store |
Notary
Additional secrets managed by a Corda Notary
Secret | Location | Path | Protection | Accessible by | Description |
---|---|---|---|---|---|
Notary service key | Disk | certificates/nodekeystore.jks | JKS | Notary | Notary service identity issued by the Doorman (distributed-notary-private-key ) |
Float & Bridge
Secrets managed by the Corda Float & Bridge
Secret | Location | Path | Description |
---|---|---|---|
TLS private key | Disk | certificates/sslkeystore.jks | Certificate used for TLS communication |
TLS keystore password | Disk | node.conf | |
Trust store password | Disk | node.conf | Password used to protect the integrity of the trust store |