Skip to content

Commit

Permalink
Merge branch 'main' into permissioning-cli-dep
Browse files Browse the repository at this point in the history
  • Loading branch information
macfarla authored Nov 25, 2024
2 parents 20ec2c7 + 7768fe1 commit 9ed58a1
Show file tree
Hide file tree
Showing 11 changed files with 38 additions and 32 deletions.
2 changes: 1 addition & 1 deletion docs/private-networks/concepts/permissioning/onchain.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ Permissioning implements three allowlists:

Account permissioning is incompatible with [random key signing](../../how-to/use-privacy/sign-pmts.md) for [privacy marker transactions](../privacy/private-transactions/processing.md).

If using account permissioning and privacy, a signing key must be specified using the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file) command line option and the corresponding public key included in the accounts allowlist.
If using account permissioning and privacy, a signing key must be specified using the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file-deprecated) command line option and the corresponding public key included in the accounts allowlist.

:::

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ The following private transaction flow illustrates when nonce validation occurs:

1. Submit a private transaction with a [nonce value](#private-transaction-nonce).
1. The private transaction is distributed to all participants in the privacy group.
1. The PMT is created and submitted to the transaction pool with a nonce of `0` if using one-time accounts. If using a specific account with [`--privacy-marker-transaction-signing-key-file`](../../../reference/cli/options.md#privacy-marker-transaction-signing-key-file), the public nonce for that account is obtained and used for the PMT.
1. The PMT is created and submitted to the transaction pool with a nonce of `0` if using one-time accounts. If using a specific account with [`--privacy-marker-transaction-signing-key-file`](../../../reference/cli/options.md#privacy-marker-transaction-signing-key-file-deprecated), the public nonce for that account is obtained and used for the PMT.
1. The PMT is mined and included in the block.
1. After the block containing the PMT is imported, and the PMT is processed, the private transaction is retrieved from the private transaction manager and executed.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -120,10 +120,10 @@ besu --privacy-tls-enabled --privacy-tls-keystore-file=/Users/me/my_node/keystor

The command line:

- Enables TLS with the server using the [`--privacy-tls-enabled`](../../../reference/cli/options.md#privacy-tls-enabled) option.
- Specifies the keystore using the [`--privacy-tls-keystore-file`](../../../reference/cli/options.md#privacy-tls-keystore-file) option.
- Specifies the file that contains the password to decrypt the keystore using the [`--privacy-tls-keystore-password-file`](../../../reference/cli/options.md#privacy-tls-keystore-password-file) option.
- Specifies the trusted servers using the [`--privacy-tls-known-enclave-file`](../../../reference/cli/options.md#privacy-tls-known-enclave-file) option.
- Enables TLS with the server using the [`--privacy-tls-enabled`](../../../reference/cli/options.md#privacy-tls-enabled-deprecated) option.
- Specifies the keystore using the [`--privacy-tls-keystore-file`](../../../reference/cli/options.md#privacy-tls-keystore-file-deprecated) option.
- Specifies the file that contains the password to decrypt the keystore using the [`--privacy-tls-keystore-password-file`](../../../reference/cli/options.md#privacy-tls-keystore-password-file-deprecated) option.
- Specifies the trusted servers using the [`--privacy-tls-known-enclave-file`](../../../reference/cli/options.md#privacy-tls-known-enclave-file-deprecated) option.

<!-- Links -->

Expand Down
2 changes: 1 addition & 1 deletion docs/private-networks/how-to/use-permissioning/local.md
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ Account allowlisting is at the node level. That is, each node in the network has

Account permissioning is incompatible with [random key signing](../use-privacy/sign-pmts.md) for [privacy marker transactions](../../concepts/privacy/private-transactions/processing.md).

If using account permissioning and privacy, a signing key must be specified using the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file) command line option and the corresponding public key included in the accounts allowlist.
If using account permissioning and privacy, a signing key must be specified using the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file-deprecated) command line option and the corresponding public key included in the accounts allowlist.

:::

Expand Down
2 changes: 1 addition & 1 deletion docs/private-networks/how-to/use-privacy/flexible.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ We don't recommend creating flexible privacy groups in a chain with existing [of

## Enable flexible privacy groups

Use the [`--privacy-flexible-groups-enabled`](../../reference/cli/options.md#privacy-flexible-groups-enabled) command line option to enable [flexible privacy groups](../../concepts/privacy/flexible-privacy.md). When flexible privacy groups are enabled, the [`priv_createPrivacyGroup`](../../reference/api/index.md#priv_createprivacygroup), [`priv_deletePrivacyGroup`](../../reference/api/index.md#priv_deleteprivacygroup), and [`priv_findPrivacyGroup`](../../reference/api/index.md#priv_findprivacygroup) methods for [offchain privacy groups](../../concepts/privacy/privacy-groups.md) are disabled.
Use the [`--privacy-flexible-groups-enabled`](../../reference/cli/options.md#privacy-flexible-groups-enabled-deprecated) command line option to enable [flexible privacy groups](../../concepts/privacy/flexible-privacy.md). When flexible privacy groups are enabled, the [`priv_createPrivacyGroup`](../../reference/api/index.md#priv_createprivacygroup), [`priv_deletePrivacyGroup`](../../reference/api/index.md#priv_deleteprivacygroup), and [`priv_findPrivacyGroup`](../../reference/api/index.md#priv_findprivacygroup) methods for [offchain privacy groups](../../concepts/privacy/privacy-groups.md) are disabled.

## Simple flexible privacy group example

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ For performance and reliability it is advantageous to manage nonces in a statefu

### Use random senders for privacy marker transactions

To avoid public nonce management, privacy marker transactions can be sent using a [random account per transaction](../../../private-networks/reference/cli/options.md#privacy-marker-transaction-signing-key-file). This option is only available for zero gas networks.
To avoid public nonce management, privacy marker transactions can be sent using a [random account per transaction](../../../private-networks/reference/cli/options.md#privacy-marker-transaction-signing-key-file-deprecated). This option is only available for zero gas networks.

### Avoid queuing transactions in Tessera

Expand Down
6 changes: 3 additions & 3 deletions docs/private-networks/how-to/use-privacy/sign-pmts.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ Tessera-based privacy is deprecated in Besu version 24.11.0 and later. Please re

:::

You can sign privacy marker transactions (PMTs) with either a random key or a specified key. To sign privacy marker transactions with a specified private key, use [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file) when starting Besu.
You can sign privacy marker transactions (PMTs) with either a random key or a specified key. To sign privacy marker transactions with a specified private key, use [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file-deprecated) when starting Besu.

:::note

Expand All @@ -24,13 +24,13 @@ The private key file can be the same file used by [`--node-private-key-file`](#n

In networks where you pay gas, you must specify a key and the associated account must contain adequate funds.

In [free gas networks](../configure/free-gas.md), to provide further anonymity by signing each privacy marker transaction with a different random key, exclude the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file) command line option when starting Besu.
In [free gas networks](../configure/free-gas.md), to provide further anonymity by signing each privacy marker transaction with a different random key, exclude the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file-deprecated) command line option when starting Besu.

:::caution "Using account permissioning and privacy"

You can't use [account permissioning] with random key signing.

If using account permissioning and privacy, a signing key must be specified using the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file) command line option and the corresponding public key included in the accounts allowlist.
If using account permissioning and privacy, a signing key must be specified using the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file-deprecated) command line option and the corresponding public key included in the accounts allowlist.

:::

Expand Down
2 changes: 1 addition & 1 deletion docs/private-networks/reference/api/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -1809,7 +1809,7 @@ curl -X POST --data '{"jsonrpc": "2.0","method": "priv_getLogs","params":["vGy/T
### `priv_getPrivacyPrecompileAddress`
Returns the address of the [privacy precompiled contract](../../concepts/privacy/private-transactions/processing.md). The address is derived and based on the value of the [`privacy-flexible-groups-enabled`](../cli/options.md#privacy-flexible-groups-enabled) option.
Returns the address of the [privacy precompiled contract](../../concepts/privacy/private-transactions/processing.md). The address is derived and based on the value of the [`privacy-flexible-groups-enabled`](../cli/options.md#privacy-flexible-groups-enabled-deprecated) option.
#### Parameters
Expand Down
30 changes: 18 additions & 12 deletions docs/private-networks/reference/cli/options.md
Original file line number Diff line number Diff line change
Expand Up @@ -487,7 +487,7 @@ For proof-of-stake and proof-of-work networks, see
[`--block-txs-selection-max-time`](../../../public-networks/reference/cli/options.md#block-txs-selection-max-time).
:::

### `privacy-enabled`
### `privacy-enabled` (Deprecated)

<Tabs>

Expand Down Expand Up @@ -527,13 +527,19 @@ privacy-enabled=false

Enables or disables [private transactions](../../concepts/privacy/index.md). The default is `false`.

:::caution

Tessera-based privacy is deprecated in Besu version 24.11.0 and later. Please read this [blog post](https://www.lfdecentralizedtrust.org/blog/sunsetting-tessera-and-simplifying-hyperledger-besu) for more context on the rationale behind this decision as well as alternative options.

:::

:::important

Using private transactions with [pruning](../../../public-networks/concepts/data-storage-formats.md) or [fast sync](../../../public-networks/reference/cli/options.md#sync-mode) is not supported.

:::

### `privacy-marker-transaction-signing-key-file`
### `privacy-marker-transaction-signing-key-file` (Deprecated)

<Tabs>

Expand Down Expand Up @@ -586,7 +592,7 @@ You must specify this option if you're using:

If you do not specify this option (for example, in a free gas network), Besu signs each transaction with a different randomly generated key.

### `privacy-multi-tenancy-enabled`
### `privacy-multi-tenancy-enabled` (Deprecated)

<Tabs>

Expand Down Expand Up @@ -626,7 +632,7 @@ privacy-multi-tenancy-enabled=false

Enables or disables [multi-tenancy](../../concepts/privacy/multi-tenancy.md) for private transactions. The default is `false`.

### `privacy-flexible-groups-enabled`
### `privacy-flexible-groups-enabled` (Deprecated)

<Tabs>

Expand Down Expand Up @@ -668,7 +674,7 @@ Enables or disables [flexible privacy groups](../../concepts/privacy/flexible-pr

Deprecated syntax for this option is `--privacy-onchain-groups-enabled`.

### `privacy-public-key-file`
### `privacy-public-key-file` (Deprecated)

<Tabs>

Expand Down Expand Up @@ -710,11 +716,11 @@ The [public key of the Tessera node](https://docs.tessera.consensys.net/).

:::important

You cannot specify `privacy-public-key-file` when [`--privacy-multi-tenancy-enabled`](#privacy-multi-tenancy-enabled) is `true`
You cannot specify `privacy-public-key-file` when [`--privacy-multi-tenancy-enabled`](#privacy-multi-tenancy-enabled-deprecated) is `true`

:::

### `privacy-tls-enabled`
### `privacy-tls-enabled` (Deprecated)

<Tabs>

Expand Down Expand Up @@ -754,7 +760,7 @@ privacy-tls-enabled=false

Enables or disables [TLS on communication with the private transaction manager]. The default is false.

### `privacy-tls-keystore-file`
### `privacy-tls-keystore-file` (Deprecated)

<Tabs>

Expand Down Expand Up @@ -794,9 +800,9 @@ privacy-tls-keystore-file="/home/me/me_node/key"

The keystore file (in PKCS #12 format) containing the private key and the certificate presented during authentication.

You must specify `privacy-tls-keystore-file` if [`--privacy-tls-enabled`](#privacy-tls-enabled) is `true`.
You must specify `privacy-tls-keystore-file` if [`--privacy-tls-enabled`](#privacy-tls-enabled-deprecated) is `true`.

### `privacy-tls-keystore-password-file`
### `privacy-tls-keystore-password-file` (Deprecated)

<Tabs>

Expand Down Expand Up @@ -836,7 +842,7 @@ privacy-tls-keystore-password-file="/home/me/me_node/password"

The path to the file containing the password to decrypt the keystore.

### `privacy-tls-known-enclave-file`
### `privacy-tls-known-enclave-file` (Deprecated)

<Tabs>

Expand Down Expand Up @@ -876,7 +882,7 @@ privacy-tls-known-enclave-file="/home/me/me_node/knownEnclave"

The path to the file containing the hostnames, ports, and SHA256 certificate fingerprints of the [authorized privacy enclave](../../how-to/configure/tls/client-and-server.md#create-the-known-servers-file).

### `privacy-url`
### `privacy-url` (Deprecated)

<Tabs>

Expand Down
8 changes: 4 additions & 4 deletions docs/private-networks/tutorials/privacy/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -363,14 +363,14 @@ besu --data-path=data --genesis-file=..\genesis.json --rpc-http-enabled --rpc-ht

The command line specifies privacy options:

- [`--privacy-enabled`](../../reference/cli/options.md#privacy-enabled) enables privacy.
- [`--privacy-url`](../../reference/cli/options.md#privacy-url) specifies the Q2T server address of the Tessera node (`Q2T` in `tessera.conf`).
- [`--privacy-public-key-file`](../../reference/cli/options.md#privacy-public-key-file) specifies the file containing Tessera node public key (created in [3. Generate Tessera Keys](#2-generate-tessera-keys)).
- [`--privacy-enabled`](../../reference/cli/options.md#privacy-enabled-deprecated) enables privacy.
- [`--privacy-url`](../../reference/cli/options.md#privacy-url-deprecated) specifies the Q2T server address of the Tessera node (`Q2T` in `tessera.conf`).
- [`--privacy-public-key-file`](../../reference/cli/options.md#privacy-public-key-file-deprecated) specifies the file containing Tessera node public key (created in [3. Generate Tessera Keys](#2-generate-tessera-keys)).
- [`--rpc-http-api`](../../../public-networks/reference/cli/options.md#rpc-http-api) includes `EEA` and `PRIV` in the list of JSON-RPC APIs to enable privacy JSON-RPC API methods.

:::note

Use the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file) command line option to sign [privacy marker transactions](../../concepts/privacy/private-transactions/processing.md) using a supplied key. The command line option is mandatory in privacy-enabled paid gas networks.
Use the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file-deprecated) command line option to sign [privacy marker transactions](../../concepts/privacy/private-transactions/processing.md) using a supplied key. The command line option is mandatory in privacy-enabled paid gas networks.

:::

Expand Down
6 changes: 3 additions & 3 deletions docs/private-networks/tutorials/privacy/multi-tenancy.md
Original file line number Diff line number Diff line change
Expand Up @@ -156,9 +156,9 @@ The command line specifies privacy options:

- [`--rpc-http-authentication-enabled`](../../../public-networks/reference/cli/options.md#rpc-http-authentication-enabled) enables authentication for JSON-RPC APIs.
- [`--rpc-http-authentication-jwt-public-key-file`](../../../public-networks/reference/cli/options.md#rpc-http-authentication-jwt-public-key-file) specifies the Operator's [public key file](#1-generate-a-private-and-public-key-pair). Used to authenticate the [tenant JWTs](#6-generate-the-tenant-jwts).
- [`--privacy-enabled`](../../reference/cli/options.md#privacy-enabled) enables privacy.
- [`--privacy-url`](../../reference/cli/options.md#privacy-url) specifies the [Quorum to Tessera (Q2T)] server address of the Tessera node (`Q2T` in `tessera.conf`).
- [`--privacy-multi-tenancy-enabled`](../../reference/cli/options.md#privacy-multi-tenancy-enabled) enables multi-tenancy.
- [`--privacy-enabled`](../../reference/cli/options.md#privacy-enabled-deprecated) enables privacy.
- [`--privacy-url`](../../reference/cli/options.md#privacy-url-deprecated) specifies the [Quorum to Tessera (Q2T)] server address of the Tessera node (`Q2T` in `tessera.conf`).
- [`--privacy-multi-tenancy-enabled`](../../reference/cli/options.md#privacy-multi-tenancy-enabled-deprecated) enables multi-tenancy.

:::note

Expand Down

0 comments on commit 9ed58a1

Please sign in to comment.