Skip to content
You are reading EthSigner development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Using EthSigner with Hashicorp Vault

EthSigner supports storing the signing key in a Hashicorp Vault.


EthSigner with Hashicorp Vault does not support TLS. If using a remote Hashicorp Vault, apply appropriate security.

Storing Private Key in Hashicorp Vault

After installing Hashicorp Vault and starting the server:

  1. Set the VAULT_ADDR environment variable using the command displayed after starting the server:

    export VAULT_ADDR=''

  2. Save the root token displayed after starting the server in a file called authFile.

  3. Put your signing key into the Hashicorp Vault:

    vault kv put secret/ethsignerSigningKey value=<Private Key ex 0x)
    vault kv put secret/ethsignerSigningKey value=8f2a55949038a9610f50fb23b5883af3b4ecb3c3bb792cbcefbd1542c692be63

    The private key is stored in the default location for EthSigner. The key must be a base 64 encoded private key for ECDSA for curve secp256k1.

Start Pantheon

Start Pantheon with the --rpc-http-port option set to 8590 to avoid conflict with the default EthSigner listening port (8545).


pantheon --network=dev --miner-enabled --miner-coinbase=0xfe3b557e8fb62b89f4916b721be55ceb828dbd73 --rpc-http-cors-origins="all" --host-whitelist=* --rpc-http-enabled --rpc-http-port=8590 --data-path=/tmp/tmpDatdir

Start EthSigner with Hashicorp Vault Signing

Start EthSigner.


ethsigner --chain-id=2018 --downstream-http-port=8590 hashicorp-signer --host= --port=8200 --auth-file=authFile


Use the –http-listen-port option to change the EthSigner listening port if 8545 is in use.

You can now use EthSigner to sign transactions with the key stored in the Hashicorp Vault.

Questions or feedback? You can discuss issues and obtain free support on EthSigner Gitter channel.
For paid professional support by PegaSys, contact us at [email protected]