These packages and plugins for Hashicorp products are early work. Not mature or battle-tested. No warrany is expressed or implied.
Vault Plugin for Algorand
This plugin adds Vault support for Algorand keypairs, addresses, and signatures. This brief guide to usage assumes familiarity with both Algorand and Vault.
Build Algorand Plugin
go build -o vault/plugins/algorand
Enable Algorand Plugin
vault secrets enable algorand
Configure Algorand Plugin
In this example, we'll configure the default mount path (algorand/) to create 2-of-3 multisign accounts. This plugin will generate one of the signing keypairs. The others, this guide assumes have been generated already. We'll use variables $ADMINKEY, and $USERKEY to refer to the public keys created by some external Algorand tool.
First, as Vault operator, we configure the admin key. All future multisign addresses on the algorand/ path will be 2-of-3, and one of the signing keys will be this admin key.
vault write algorand/config/admin signer=$ADMIN_KEY
Next, as Vault operator, we specify the signing threshold (two).
vault write algorand/config threshold=2 failsafe=false
Note the use of "failsafe=false". By default, the plugin requires the
administrator to configure signing addresses that equal or exceed the
threshold. These "failsafe" signing keys imply that should there be a
catastophic failure that erases all of Vault's data, the Algorand assets
could be recovered by operators who can produce the threshold number of
signatures. In this example, we're disabling the failsafe. If we wanted to
keep it enabled, we'd configure a second operator key, i.e.
algorand/config/admin2 signer=$ADMIN2_KEY, and the addresses that Vault
creates would be 2-of-4 (two admin signing keys, one user key, and one
At this point, the algorand/ path is configured. So a user can create an address:
vault write algorand/address/user signer=$USER_KEY
This prompts the plugin to (a) generate a signing keypair, and (b) create a multisign address with threshold two and signers Vault, user, and admin.
To learn the created Algorand address:
vault read algorand/address/user
To sign a transaction, first create the transaction (with Algorand tool of your choice). Then:
vault write algorand/address/user/sign email@example.com
signed field return will be the transaction, signed by the
To complate the transaction, sign again with the user-managed key (or admin-managed key), and submit.