Skip to main content

File-Based Secret Storage (Insecure)

MavSeal file-based signer mode allows operation without an HSM or Key Vault service for evaluation and prototyping purposes. By storing the secret key material in a JSON file, users can get MavSeal up and running quickly for evaluation and development purposes.

MavSeal configuration for file-based secret storage

This documentation assumes you will use the official MavSeal docker image, and that you have a working Linux server with docker installed.

Place the following YAML in a file named mavseal.yaml

server:
  address: :6732
  utility_address: :9583

vaults:
  local_secret:
    driver: file
    config:
      file: /etc/secret.json

mavryk:
  mv19VEmW4zEELeQiBqLHH4RHgysYuLe4P6xt:
    log_payloads: true
    allow:
      block:
      endorsement:
      preendorsement:
      generic:
        - transaction

The mv19VEmW4zEELeQiBqLHH4RHgysYuLe4P6xt key corresponds to the secret key that you will put in /etc/secret.json

Contents of secret.json is:

[ 
  { 
    "name": "<address_alias>",
    "value": "unencrypted:<your_secret_key>" 
  }
]

Running MavSeal

Next, you want to run the mavseal docker image as follows:

Remember to secure the network where MavSeal is running

docker run -it --rm \
    -v "$(realpath mavseal.yaml):/etc/mavseal.yaml" \
    -v "$(realpath secret.json):/etc/secret.json" \
    -p 6732:6732 \
    -p 9583:9583 \
    mavrykdynamics/mavseal:latest serve -c /etc/mavseal.yaml

Verify that MavSeal is working

You can test that MavSeal works, making a GET request using the Public Key Hash (PKH). MavSeal will return a JSON payload containing the public key.

curl mavseal:6732/keys/mv19VEmW4zEELeQiBqLHH4RHgysYuLe4P6xt

A response such as the following should be expected:

{"public_key":"edpktn6UGrMQUjhWQJ5kY4qWoCp1sDZWkK5ugizTc5jHSifG1j3r8o"}

You can test the signing functionality by making a POST request as follows:

curl -XPOST \
    -d '"027a06a770e6cebe5b3e39483a13ac35f998d650e8b864696e31520922c7242b88c8d2ac55000003eb6d"' \
    mavseal:6732/keys/mv19VEmW4zEELeQiBqLHH4RHgysYuLe4P6xt

Which should return an HTTP 200 OK with a payload similar to:

{"signature":"sigWetzF5zVM2qdYt8QToj7e5cNBm9neiPRc3rpePBDrr8N1brFbErv2YfXMSoSgemJ8AwZcLfmkBDg78bmUEzF1sf1YotnS"}

If you repeat the same signing operation more than once, you will get an error from the High-Watermark feature. This safety measure prevents the injection of duplicate operations.

The payload on this request resembles a Mavryk endorsement emitted from a Mavryk Baker node.