Setting Up HashiCorp Vault + EthSigner

Page Contents

Introduction

HashiCorp Vault (hereon called Vault) allows you to securely store secrets in one place. Docs:

EthSigner allows you to sign transactions in an isolated environment using a private key secured by Vault. Docs:

Security Notes

The connection between EthSigner and Vault is secured by TLS (the private key is passed along this connection). The connection between the NodeJS App and EthSigner is not TLS secured, which is not a major concern as the signed transaction object cannot be used in replay attacks. All traffic stays within the localhost loopback within your local server, so no messages are passed on your local network.

Install HashiCorp Vault

sudo apt update
- updates apt-installed packages
sudo apt install gpg wget
- installs gpg (GNU Privacy Guard), which is a cryptography library, and wget, which is like curl but used mostly for downloading files
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
- This downloads a "keyring" from HashiCorp and puts it into the file defined by the last part of the command (the pipe key "|" takes ouput of statement before and uses it as the input for the statement after)
- If you get a certificate verification error, use wget -O- https://apt.releases.hashicorp.com/gpg --no-check-certificate | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
- This verifies the keyring
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
- This writes the string in the quotes to the file after the pipe key ("|"). The string is a command to use the "deb" package manager to download a repo from the https url. The package is signed by the key ring you downloaded earlier. "$lsb_release -cs" prints the version of Ubuntu of your system.
sudo apt update && sudo apt install vault
- This installs Vault using the apt package manager
Check installation with vault and vault --version

Install EthSigner

sudo apt-get install openjdk-17-jdk
- Installs Java 17 (must use Java 17, not Java 11); 500MB
Download ethsigner.tar.gz file (.tar.gz is like a .zip file) in link:
cd into the folder where you want the folder extracted
tar -xzvf filename.tar.gz
- extracts the files into a folder called "ethsigner-23.6.0"
Check installation
1. cd into "ethsigner-23.6.0" folder and run ./bin/ethsigner --help
  - Success shows a list of EthSigner commands
  - If it doesn't work, check the permissions of the "ethsigner" binary:
    cd into "ethsigner-23.6.0" folder, cd into "bin" folder
    run ls, you should see the files "ethsigner" and "ethsigner.bat"
    run ls -l ./ethsigner, ensure you have "x" (executable) permissions. If not, then run chmod +x ./ethsigner

Prepare Files To Enable TLS Between EthSigner and Vault

cd "ethsigner-23.6.0" folder, mkdir tls, cd into "tls" folder
Generate the TLS private key and certificate
1. openssl req -x509 -sha256 -days 3560 -nodes -newkey rsa:2048 -subj "/CN=localhost" -addext "subjectAltName=IP:127.0.0.1" -keyout vault.key -out vault.crt
  - the command "-addext "subjectAltName=IP:127.0.0.1"" adds an Alternative Name to the certificate, which is usually not needed but is needed for HashiCorp Vault
Get SHA-256 fingerprint of vault.crt
1. openssl x509 -in vault.crt -noout -fingerprint -sha256
2. Copy it to somewhere temporarily (we will use it in next step)
For TLS connections, EthSigner requires a "knownServers" file. From the perspective of EthSigner, HashiCorp Vault is a server
1. touch knownServers && vim knownServers
2. press i to start editing, enter two lines:
  1. line 1: localhost:8200 <sha256 fingerprint of vault.crt>
  2. line 2: 127.0.0.1:8200 <sha256 fingerprint of vault.crt>
  3. ctrl + c , :wq, then Enter to save & exit

Run Vault Server & Import Private Key

cd into "ethsigner-23.6.0" folder (cd out of "tls" folder)

create config.hcl file

touch config.hcl && vim config.hcl

i to start editing. Copy in the below:

storage "raft" {
  path    = "./vault/data"
  node_id = "node1"
}

listener "tcp" {
address = "127.0.0.1:8200"
tls_cert_file = "./tls/vault.crt"
tls_key_file = "./tls/vault.key"
}

disable_mlock = true

api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"
ui = true

ctrl + c , :wq, then Enter to save & exit

mkdir -p ./vault/data to create "vault/data" folder
- If you previously created a Vault instance, be sure to delete all contents of old data folder
- This is where encrypted secrets are stored using Raft, which is the Integrated Storage backend used to persist Vault's data
Run Vault server in tmux window
1. tmux new -s vault (you should be in "ethsigner-23.6.0" folder)
2. vault server -config=config.hcl
3. ctrl + b, then d to leave tmux
Initialize Vault
1. set env var export VAULT_CAPATH="/home/brianhuang/ethsigner-23.6.0/tls/vault.crt"
  - replace full path with one for your system
2. vault operator init
  - Success shows five "Unseal Keys" and one "Initial Root Token"
3. Save the "Initial Root Token" somewhere temporarily
  - This token is used for authenticating a terminal session
4. Save the "Unseal Keys" somewhere extremely safe, possibly in separate locations
  - 3 of 5 Unseal Keys can unseal the Vault and reveal the secrets inside
EthSigner requires you save the Initial Root Token into a file
1. cd into "ethsigner-23.6.0" folder, cd into "bin" folder
2. touch authFile && vim authFile
3. i to edit, paste Initial Root Token into first line
4. ctrl + c , :wq, then Enter to save & exit
Unseal the Vault to import your private key and initialize EthSigner (you will seal it back up later)
1. vault operator unseal
2. copy in one Unseal Key (characters will not show), then press Enter
3. Repeat the above two steps two more times with the 2nd and 3rd Unseal Keys (you need 3/5 keys to unseal the Vault)
Authenticate your terminal
1. must have VAULT_CAPATH env var in this terminal
  1. export VAULT_CAPATH="/home/brianhuang/ethsigner-23.6.0/tls/vault.crt"
2. vault login
3. paste in the Initial Root Token
  - Success shows: "Success! You are now authenticated."
1. Enable storage path with vault secrets enable -path=secret kv
  - Success shows: "Success! Enabled the kv secrets engine at: secret/"
2. Upgrade Key/Value Secrets Engine from v1 to v2 with vault kv enable-versioning secret/
  - Success shows: "Success! Tuned the secrets engine at: secret/"
3. Add private key with vault kv put secret/ethsignerSigningKey value=<privateKeyWithout0x>

Run EthSigner Server

cd into "ethsigner-23.6.0" folder (you may be in "bin" folder right now)
create new tmux window called "ethsigner" with tmux new -s ethsigner
./bin/ethsigner --chain-id=137 --downstream-http-port=443 hashicorp-signer --host=127.0.0.1 --port=8200 --auth-file=./bin/authFile --signing-key-path=/v1/secret/data/ethsignerSigningKey --tls-known-server-file=./tls/knownServers
- Replace above with correct chain ID (137 = "Polygon")
Leave tmux window with ctrl + b, then d
Check EthSigner is running
1. test1: curl -X GET http://127.0.0.1:8545/upcheck
  - Success should show "I'm up!"
2. test2: curl -X POST --data '{"jsonrpc":"2.0","method":"eth_accounts","params":[],"id":1}' http://127.0.0.1:8545
  - Success should show your address
Seal the Vault with vault operator seal
- Success shows: "Success! Vault is sealed."

View all active ports with sudo lsof -i -P -n | grep LISTEN

Test

If you already set up Ngrok, use the Ngrok URL as the webhook URL. If not, your NodeJS App should be listening on http://localhost:8080/. If using the "localhost" URL, you must run node sendAlert.js on the same machine.

A successful test should show transaction details the the swap hash in the console.

PreviousSetting Up Local Server NextSetting Up HashiCorp Vault (dev) + EthSigner

Last updated 6 months ago