Using EthSigner with Hashicorp Vault

EthSigner supports storing the signing key in a Hashicorp Vault.


EthSigner with Hashicorp Vault does not support TLS. If using a remote Hashicorp Vault, apply appropriate security.

Storing Private Key in Hashicorp Vault

After installing Hashicorp Vault and starting the server:

  1. Set the VAULT_ADDR environment variable using the command displayed after starting the server:

    export VAULT_ADDR=''

  2. Save the root token displayed after starting the server in a file called authFile.

  3. Put your signing key into the Hashicorp Vault:

    vault kv put secret/ethsignerSigningKey value=<Private Key ex 0x)
    vault kv put secret/ethsignerSigningKey value=8f2a55949038a9610f50fb23b5883af3b4ecb3c3bb792cbcefbd1542c692be63

    The private key is stored in the default location for EthSigner. The key must be a base 64 encoded private key for ECDSA for curve secp256k1.

Start Pantheon

Start Pantheon with the --rpc-http-port option set to 8590 to avoid conflict with the default EthSigner listening port (8545).


pantheon --network=dev --miner-enabled --miner-coinbase=0xfe3b557e8fb62b89f4916b721be55ceb828dbd73 --rpc-http-cors-origins="all" --host-whitelist=* --rpc-http-enabled --rpc-http-port=8590 --data-path=/tmp/tmpDatdir

Start EthSigner with Hashicorp Vault Signing

Start EthSigner.


ethsigner --chain-id=2018 --downstream-http-port=8590 hashicorp-signer --host= --port=8200 --auth-file=authFile


Use the –http-listen-port option to change the EthSigner listening port if 8545 is in use.

You can now use EthSigner to sign transactions with the key stored in the Hashicorp Vault.