Skip to content
Last update: March 8, 2022

Multikey parameters

The optional [metadata] section in the TOML files contains data that is not required by EthSigner. The [signing] section contains the parameters required for the signing type.


All parameters in the [signing] section are mandatory.

File-based signing


createdAt = 1994-11-05T08:15:30-05:00
description = "Example of a File based configuration"

type = "file-based-signer"
key-file = "/Users/me/project/78e6e236592597c09d5c137c2af40aecd42d12a2.key"
password-file = "/Users/me/project/78e6e236592597c09d5c137c2af40aecd42d12a2.password"


EthSigner supports absolute paths or relative paths when specifying key-file and password-file. Relative paths are relative to the directory specified in the multikey-signer --directory subcommand.

Key Description
type Type of key signing. Use file-based-signer
key-file V3 keystore file containing the key with which transactions are signed
password-file File containing the password for the key with which transactions are signed.

HashiCorp Vault signing


createdAt = 2019-07-01T12:11:30Z
description = "Example of a valid HashiCorp based configuration"

type = "hashicorp-signer"
keyPath = "/v1/secret/data/ethsignerKey"
keyName = "value"
token = "root_token"
serverHost = "localhost"
serverPort = 8200
timeout = 5000
tlsEnabled = true
tlsTrustStoreType = "ALLOWLIST"
tlsTrustStorePath = "/Users/me/project/knownHashicorpServers"


The value of keyPath is dependent on how HashiCorp Vault secret engine is configured. It’s usually in the format of /v1/<secret-engine-name>/data/<secret-path>. For example, in HashiCorp Vault dev mode, a default secret engine with name secret is created. Creating a path EthSignerKeys in secret would result in the keyPath value to be /v1/secret/data/EthSignerKeys.

Key Description
type Type of key signing. Use hashicorp-signer
keyPath Path to secret in the HashiCorp Vault containing the private key for signing transactions.
keyName Name of the key that maps to the private key in the secret. Defaults to value.
token HashiCorp Vault authentication token that is required to access the secret defined by the keyPath.
serverHost Host of the HashiCorp Vault server.
serverPort Port of the HashiCorp Vault server. Defaults to 8200.
timeout Timeout in milliseconds for requests to the HashiCorp Vault server. Defaults to 10000.
tlsEnable Enable/Disable TLS communication with HashiCorp Vault server. Defaults to true.
tlsTrustStoreType The type of Truststore that stores HashiCorp Vault server TLS certificate. Valid values are ALLOWLIST, JKS, PKCS12 and PEM. Can be omitted if HashiCorp server’s CA is already trusted.
tlsTrustStorePath Path to the Truststore file. Required when tlsTrustStoreType is specified. See example of how to create an ALLOWLIST Truststore file.
tlsTrustStorePassword Password to decrypt truststore file. Only required for JKS and PKCS12 truststore types.

Azure Key Vault signing


createdAt = 2011-11-01T12:15:30Z
description = "Example of an Azure Key Vault based configuration"

type = "azure-signer"
key-vault-name = "AzureKeyVault"
key-name = "ethsignerKey"
key-version = "7c01fe58d68148bba5824ce418241092"
client-id = "47efee5c-8079-4b48-31bb4f2e9a22"
client-secret = "TW_3Uc/HLPdpLp5*[email protected]*5"
tenant-id = "34255fb0-379b-4a1a-bd47-d211ab86df81"
Key Description
type Type of key signing. Use azure-signer
key-vault-name Name of the vault to access. Sub-domain of
key-name Name of key to be used
key-version Version of the specified key
client-id ID used to authenticate with Azure Key Vault
client-secret Secret used to access the vault
tenant-id The tenant ID used to authenticate with Azure Key Vault.
Back to top