| title | sidebar_position | description | tags | |
|---|---|---|---|---|
Create a privacy enabled network using the Quickstart |
1 |
Configure Besu privacy |
|
import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem';
:::caution
Tessera-based privacy is deprecated in Besu version 24.12.0 and later. Please read this blog post for more context on the rationale behind this decision as well as alternative options.
:::
Configuring a network that supports private transactions requires starting a Tessera node for each Besu node. Besu command line options associate the Besu node with the Tessera node.
This tutorial assumes you have completed setting up an IBFT 2.0 network to the point where you have created the genesis file and copied the private keys. If not, complete steps 1 to 5 of the Create an IBFT 2.0 tutorial before continuing.
:::important
To support privacy, ensure your genesis file includes at least the byzantium milestone.
This tutorial configures a private network using IBFT 2.0 for educational purposes only. IBFT 2.0 requires 4 validators to be Byzantine fault tolerant.
:::
In this tutorial we start Tessera nodes for the four Besu nodes and associate each Besu node with a Tessera node.
Inside each Node-* directory, create a Tessera directory:
IBFT-Network/
├── Node-1
│ ├── data
│ ├── Tessera
├── Node-2
│ ├── data
│ ├── Tessera
├── Node-3
│ ├── data
│ ├── Tessera
└── Node-4
├── data
├── TesseraThis example creates an unlocked private key, meaning you do not need a password to decrypt the private key file.
In each Tessera directory, generate a public/private key pair for the Tessera node:
tessera -keygen -filename nodeKeyAt the prompt, press Enter to create an unlocked key.
Tessera generates the public/private key pair and saves the keys in the nodeKey.pub and nodeKey.key files.
In the Tessera directory for each node, create a file called tessera.conf, with the following configuration:
:::important
In production environments, only specify tls as OFF if another transport security mechanism, such as WireGuard, is in place.
:::
{
"mode": "orion",
"useWhiteList": false,
"jdbc": {
"username": "sa",
"password": "",
"url": "jdbc:h2:./target/h2/tessera1",
"autoCreateTables": true
},
"serverConfigs": [
{
"app": "ThirdParty",
"serverAddress": "http://localhost:9101",
"communicationType": "REST"
},
{
"app": "Q2T",
"serverAddress": "http://localhost:9102",
"communicationType": "REST"
},
{
"app": "P2P",
"serverAddress": "http://localhost:9103",
"sslConfig": {
"tls": "OFF"
},
"communicationType": "REST"
}
],
"peer": [
{
"url": "http://localhost:9203"
},
{
"url": "http://localhost:9303"
},
{
"url": "http://localhost:9403"
}
],
"keys": {
"passwords": [],
"keyData": [
{
"privateKeyPath": "nodeKey.key",
"publicKeyPath": "nodeKey.pub"
}
]
},
"alwaysSendTo": []
}{
"mode": "orion",
"useWhiteList": false,
"jdbc": {
"username": "sa",
"password": "",
"url": "jdbc:h2:./target/h2/tessera1",
"autoCreateTables": true
},
"serverConfigs": [
{
"app": "ThirdParty",
"serverAddress": "http://localhost:9201",
"communicationType": "REST"
},
{
"app": "Q2T",
"serverAddress": "http://localhost:9202",
"communicationType": "REST"
},
{
"app": "P2P",
"serverAddress": "http://localhost:9203",
"sslConfig": {
"tls": "OFF"
},
"communicationType": "REST"
}
],
"peer": [
{
"url": "http://localhost:9103"
},
{
"url": "http://localhost:9303"
},
{
"url": "http://localhost:9403"
}
],
"keys": {
"passwords": [],
"keyData": [
{
"privateKeyPath": "nodeKey.key",
"publicKeyPath": "nodeKey.pub"
}
]
},
"alwaysSendTo": []
}{
"mode": "orion",
"useWhiteList": false,
"jdbc": {
"username": "sa",
"password": "",
"url": "jdbc:h2:./target/h2/tessera1",
"autoCreateTables": true
},
"serverConfigs": [
{
"app": "ThirdParty",
"serverAddress": "http://localhost:9301",
"communicationType": "REST"
},
{
"app": "Q2T",
"serverAddress": "http://localhost:9302",
"communicationType": "REST"
},
{
"app": "P2P",
"serverAddress": "http://localhost:9303",
"sslConfig": {
"tls": "OFF"
},
"communicationType": "REST"
}
],
"peer": [
{
"url": "http://localhost:9103"
},
{
"url": "http://localhost:9203"
},
{
"url": "http://localhost:9403"
}
],
"keys": {
"passwords": [],
"keyData": [
{
"privateKeyPath": "nodeKey.key",
"publicKeyPath": "nodeKey.pub"
}
]
},
"alwaysSendTo": []
}{
"mode": "orion",
"useWhiteList": false,
"jdbc": {
"username": "sa",
"password": "",
"url": "jdbc:h2:./target/h2/tessera1",
"autoCreateTables": true
},
"serverConfigs": [
{
"app": "ThirdParty",
"serverAddress": "http://localhost:9401",
"communicationType": "REST"
},
{
"app": "Q2T",
"serverAddress": "http://localhost:9402",
"communicationType": "REST"
},
{
"app": "P2P",
"serverAddress": "http://localhost:9403",
"sslConfig": {
"tls": "OFF"
},
"communicationType": "REST"
}
],
"peer": [
{
"url": "http://localhost:9103"
},
{
"url": "http://localhost:9203"
},
{
"url": "http://localhost:9303"
}
],
"keys": {
"passwords": [],
"keyData": [
{
"privateKeyPath": "nodeKey.key",
"publicKeyPath": "nodeKey.pub"
}
]
},
"alwaysSendTo": []
}In the configuration file, specify:
- Different port numbers for the various servers in the
serverConfigssection. - The address of the Tessera nodes to discover, in the
peersection. - The location of the public/private key pair.
In each Tessera directory, start Tessera specifying the configuration file created in the previous step:
tessera -configfile tessera.conf:::info
After starting the first Tessera node and before starting the other nodes, the log message failed to connect to node displays. This is normal behavior. Until you start the other peer nodes, your node is not connected and displays this warning. You can continue to start the other nodes.
:::
In the Node-1 directory, start Besu Node-1:
besu --data-path=data --genesis-file=../genesis.json --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --privacy-enabled --privacy-url=http://127.0.0.1:9102 --privacy-public-key-file=Tessera/nodeKey.pub --profile=ENTERPRISEbesu --data-path=data --genesis-file=..\genesis.json --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --privacy-enabled --privacy-url=http://127.0.0.1:9102 --privacy-public-key-file=Tessera\nodeKey.pub --profile=ENTERPRISEThe command line specifies privacy options:
--privacy-enabledenables privacy.--privacy-urlspecifies the Q2T server address of the Tessera node (Q2Tintessera.conf).--privacy-public-key-filespecifies the file containing Tessera node public key (created in 3. Generate Tessera Keys).--rpc-http-apiincludesEEAandPRIVin the list of JSON-RPC APIs to enable privacy JSON-RPC API methods.
:::note
Use the --privacy-marker-transaction-signing-key-file command line option to sign privacy marker transactions using a supplied key. The command line option is mandatory in privacy-enabled paid gas networks.
:::
When the node starts, the enode URL displays. Copy the enode URL to specify Node-1 as the bootnode in the following steps.
In the Node-2 directory, start Besu Node-2 specifying the Node-1 enode URL copied when starting Node-1 as the bootnode:
besu --data-path=data --genesis-file=../genesis.json --bootnodes=<Node-1 Enode URL> --p2p-port=30304 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8546 --privacy-enabled --privacy-url=http://127.0.0.1:9202 --privacy-public-key-file=Tessera/nodeKey.pub --profile=ENTERPRISEbesu --data-path=data --genesis-file=..\genesis.json --bootnodes=<Node-1 Enode URL> --p2p-port=30304 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8546 --privacy-enabled --privacy-url=http://127.0.0.1:9202 --privacy-public-key-file=Tessera\nodeKey.pub --profile=ENTERPRISEThe command line specifies the same options as for Node-1 with different ports and Tessera node URL. The --bootnodes option specifies the enode URL of Node-1.
:::note
When running Besu from the Docker image, expose ports.
:::
In the Node-3 directory, start Besu Node-3 specifying the Node-1 enode URL copied when starting Node-1 as the bootnode:
besu --data-path=data --genesis-file=../genesis.json --bootnodes=<Node-1 Enode URL> --p2p-port=30305 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8547 --privacy-enabled --privacy-url=http://127.0.0.1:9302 --privacy-public-key-file=Tessera/nodeKey.pub --profile=ENTERPRISEbesu --data-path=data --genesis-file=..\genesis.json --bootnodes=<Node-1 Enode URL> --p2p-port=30305 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8547 --privacy-enabled --privacy-url=http://127.0.0.1:9302 --privacy-public-key-file=Tessera\nodeKey.pub --profile=ENTERPRISEThe command line specifies the same options as for Node-1 with different ports and Tessera node URL. The --bootnodes option specifies the enode URL of Node-1.
In the Node-4 directory, start Besu Node-4 specifying the Node-1 enode URL copied when starting Node-1 as the bootnode:
besu --data-path=data --genesis-file=../genesis.json --bootnodes=<Node-1 Enode URL> --p2p-port=30306 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8548 --privacy-enabled --privacy-url=http://127.0.0.1:9402 --privacy-public-key-file=Tessera/nodeKey.pub --profile=ENTERPRISEbesu --data-path=data --genesis-file=..\genesis.json --bootnodes=<Node-1 Enode URL> --p2p-port=30306 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8548 --privacy-enabled --privacy-url=http://127.0.0.1:9402 --privacy-public-key-file=Tessera\nodeKey.pub --profile=ENTERPRISEThe command line specifies the same options as for Node-1 with different ports and Tessera node URL. The --bootnodes option specifies the enode URL of Node-1.