Hashicorp Plugins


These packages and plugins for Hashicorp products are early work. Not mature or battle-tested. No warrany is expressed or implied.

Vault Plugin for Algorand

This plugin adds Vault support for Algorand keypairs, addresses, and signatures. This brief guide to usage assumes familiarity with both Algorand and Vault.

Build Algorand Plugin

go build -o vault/plugins/algorand

Enable Algorand Plugin

vault secrets enable algorand

Configure Algorand Plugin

In this example, we'll configure the default mount path (algorand/) to create 2-of-3 multisign accounts. This plugin will generate one of the signing keypairs. The others, this guide assumes have been generated already. We'll use variables $ADMINKEY, and $USERKEY to refer to the public keys created by some external Algorand tool.

First, as Vault operator, we configure the admin key. All future multisign addresses on the algorand/ path will be 2-of-3, and one of the signing keys will be this admin key.

vault write algorand/config/admin signer=$ADMIN_KEY

Next, as Vault operator, we specify the signing threshold (two).

vault write algorand/config threshold=2 failsafe=false

Note the use of "failsafe=false". By default, the plugin requires the administrator to configure signing addresses that equal or exceed the threshold. These "failsafe" signing keys imply that should there be a catastophic failure that erases all of Vault's data, the Algorand assets could be recovered by operators who can produce the threshold number of signatures. In this example, we're disabling the failsafe. If we wanted to keep it enabled, we'd configure a second operator key, i.e. vault write algorand/config/admin2 signer=$ADMIN2_KEY, and the addresses that Vault creates would be 2-of-4 (two admin signing keys, one user key, and one vault-generated key).

At this point, the algorand/ path is configured. So a user can create an address:

vault write algorand/address/user signer=$USER_KEY

This prompts the plugin to (a) generate a signing keypair, and (b) create a multisign address with threshold two and signers Vault, user, and admin.

To learn the created Algorand address:

vault read algorand/address/user

To sign a transaction, first create the transaction (with Algorand tool of your choice). Then:

vault write algorand/address/user/sign txn=@unsigned.txn

The signed field return will be the transaction, signed by the vault-generated key.

To complate the transaction, sign again with the user-managed key (or admin-managed key), and submit.