felipefaraggi

7 min read - Posted 03 Apr 20

Privacy with Besu: environment setup and private group management

Making private transactions in the blockchain is a must for individual users, but its even more important for companies using DLT technologies. Businesses sometimes need to send information that isn't visible to all parties, even if the contents are encrypted- most of the time, these needs come from legal and regulatory reasons.

In the following tutorial, we'll learn how to setup a privacy-enabled network, how to make a private transaction and give you some tips to streamline this process with the use of some PegaSys tools.

Contents

Fast-forward - In case you want to skip environment setup
Environment Setup
Private Group Management
Shortcuts

Fast forward

If you'd rather skip the environment setup and read about options to start testing privacy more quickly, go to the Shortcuts section.

Environment and Setup

  1. In order to enable a privacy-enabled network, we recommend having an IBFT2.0 network setup as a prerequisite. We'll be adding on top of it in the following steps. Follow these instructions to help you setup it up.

Other requirements for this tutorial are having [Besu and ethsigner installed](TODO kauri-link).

Once you have your IBFT setup complete, you may delete the Node-4 folder, for we'll only be using 3 nodes in this example.

Your working folder should look like this now:

 $ tree
.
├── genesis.json
├── ibftConfigFile.json (optional)
├── Node-1
│   ├── data
│   │   ├── key
│   └── └── key.pub
├── Node-2
│   ├── data
│   │   ├── key
│   └── └── key.pub
├── Node-3
│   ├── data
│   │   ├── key
└───└───└── key.pub
  1. Create an Orion folder inside each Node-X directory.

From the root project folder, create an Orion folder in each Node directory.

$ mkdir -p Node-{1..3}/{Orion}
  1. Create password files

Create a password file containing respective Orion passwords in each Orion folder.

touch Node-{1..3}/Orion/passwordFile

Be sure to update the files with passwords in them.

do
echo "password$i" > Node-$i/Orion/passwordFile
done

These are example passwords only, make sure you have a safe and secure passwords for your Orion nodes.

  1. Generate the Orion keys

In each Orion folder, generate their public/private key pairs. Run orion -g nodeKey in each Orion folder. You can supply a list of comma-separated values in order to generate them in one command.

orion -g Node-1/Orion/nodeKey,Node-2/Orion/nodeKey,Node-3/Orion/nodeKey

Remember to use the same password you've used in the passwordFile for each node. Otherwise, the Orion nodes will not start correctly.

  1. Create Orion configuration files

Create an orion.conf in each Orion folder.

Node-1's configuration:

nodeurl = "http://127.0.0.1:8080/"
nodeport = 8080
clienturl = "http://127.0.0.1:8888/"
clientport = 8888
publickeys = ["nodeKey.pub"]
privatekeys = ["nodeKey.key"]
passwords = "passwordFile"
tls = "off"

Node-2 and Node-3's configuration is slightly different. Change the ports on each Orion and add the othernodes attribute.

Node-2 configuration:

nodeurl = "http://127.0.0.1:8081/"
nodeport = 8081
clienturl = "http://127.0.0.1:8889/"
clientport = 8889
publickeys = ["nodeKey.pub"]
privatekeys = ["nodeKey.key"]
passwords = "passwordFile"
othernodes = ["http://127.0.0.1:8080/"]
tls = "off"

Node-3 configuration:

nodeurl = "http://127.0.0.1:8082/"
nodeport = 8082
clienturl = "http://127.0.0.1:8890/"
clientport = 8890
publickeys = ["nodeKey.pub"]
privatekeys = ["nodeKey.key"]
passwords = "passwordFile"
othernodes = ["http://127.0.0.1:8080/"]
tls = "off"

Your working folder should look like this at this point:

 $ tree
.
├── genesis.json
├── ibftConfigFile.json (optional)
├── Node-1
│   ├── data
│   │   ├── key
│   │   └── key.pub
│   └── Orion
│       ├── nodekey.key
│       ├── nodekey.pub
│       ├── orion.conf
│       └── passwordFile
├── Node-2
│   ├── data
│   │   ├── key
│   │   └── key.pub
│   └── Orion
│       ├── nodekey.key
│       ├── nodekey.pub
│       ├── orion.conf
│       └── passwordFile
├── Node-3
│   ├── data
│   │   ├── key
│   │   └── key.pub
│   └── Orion
│       ├── nodekey.key
│       ├── nodekey.pub
│       ├── orion.conf
└───────└── passwordFile
  1. Start Orion and Besu nodes

Open 6 spearate terminals or terminal tabs. Of these terminals, 3 will be running Orion and the rest will be running Besu nodes.

img

In each Orion folder, run orion orion.conf, specifying each Orion's conf file.

orion orion.conf

In each Besu node, run the following commands:

Node-1:

besu --data-path=data --genesis-file=../genesis.json --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-whitelist="*" --rpc-http-cors-origins="all" --privacy-enabled --privacy-url=http://127.0.0.1:8888 --privacy-public-key-file=Orion/nodeKey.pub --min-gas-price=0

Node-2, specifying Node-1's enode address as a bootnode:

besu --data-path=data --genesis-file=../genesis.json --bootnodes=enode://a1201efea997b1735e5f690c4e9362b8b66d109f50067af7ccc49b778c5af61108faea4eacaec6559fd91a6e0e9dc52ecfa5406f99f0fd4dc0334d6a4704cfc7@127.0.0.1:30303 --p2p-port=30304 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-whitelist="*" --rpc-http-cors-origins="all" --rpc-http-port=8546 --privacy-enabled --privacy-url=http://127.0.0.1:8889 --privacy-public-key-file=Orion/nodeKey.pub --min-gas-price=0

Node-3, also specifying Node-1's enode address as a bootnode:

besu --data-path=data --genesis-file=../genesis.json --bootnodes=enode://a1201efea997b1735e5f690c4e9362b8b66d109f50067af7ccc49b778c5af61108faea4eacaec6559fd91a6e0e9dc52ecfa5406f99f0fd4dc0334d6a4704cfc7@127.0.0.1:30303 --p2p-port=30305 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-whitelist="*" --rpc-http-cors-origins="all" --rpc-http-port=8547 --privacy-enabled --privacy-url=http://127.0.0.1:8890 --privacy-public-key-file=Orion/nodeKey.pub --min-gas-price=0

<Node-1 Enode URL> has to be replaced by your Nodde-1's enode address for both Node-2 and Node-2's run command.

Private Group Management

Once the Besu and Orion nodes are running and receiving transactions from peers, request the upcheck endpoint to make sure everything working correctly.

curl -X GET http://127.0.0.1:8888/upcheck

If everything's running, your response should be the following.

$ curl -X GET http://127.0.0.1:8888/upcheck
I'm up!%

The knownnodes endpoint will return the currently running Orion nodes public keys, and nodeUrls. This should return our 3 Orion nodes we've setup previously.

curl -X GET http://127.0.0.1:8888/knownnodes | json_pp
[
   {
      "publicKey" : "HgeDk3m4E6x9Jn5WumwzQ8NmsqX75xitvw+++9Iw0Tc=",
      "nodeUrl" : "http://127.0.0.1:8082/"
   },
   {
      "nodeUrl" : "http://127.0.0.1:8081/",
      "publicKey" : "pDP1g5nVaatAuwQ42v/kvlTq0dTRKHBQLxEMRRvBmgk="
   },
   {
      "publicKey" : "p89ipRJzzHss8bTBp95YIk9y5FVjy1OEb2lp1LHpSS8=",
      "nodeUrl" : "http://127.0.0.1:8080/"
   }
]

If we want to use Besus extended privacy options, we can now make a privacy group.

$ curl -X POST --data '{"jsonrpc":"2.0","method": "priv_createPrivacyGroup", "params": [{"addresses":["pDP1g5nVaatAuwQ42v/kvlTq0dTRKHBQLxEMRRvBmgk=","p89ipRJzzHss8bTBp95YIk9y5FVjy1OEb2lp1LHpSS8="],"name":"Group 1 and 2","description":"Description Group 1 and 2"}],"id":1}' http://127.0.0.1:8545
{
  "jsonrpc" : "2.0",
  "id" : 1,
  "result" : "mgQovVq/vE3I5VkLzrUpg16MtxUYfivLUxMcv5ssJH0="
}

The result is our privacy group Id: mgQovVq/vE3I5VkLzrUpg16MtxUYfivLUxMcv5ssJH0.

Let's make sure our privacy group is found by our nodes.

curl -X POST http://127.0.0.1:8888/findPrivacyGroup \
  -H 'Content-Type: application/json' \
  -d '{
  "addresses" : [
      "p89ipRJzzHss8bTBp95YIk9y5FVjy1OEb2lp1LHpSS8=",
      "pDP1g5nVaatAuwQ42v/kvlTq0dTRKHBQLxEMRRvBmgk="
  ]
}'

[{"privacyGroupId":"mgQovVq/vE3I5VkLzrUpg16MtxUYfivLUxMcv5ssJH0=","name":"Group 1 and 2","description":"Description Group 1 and 2","type":"PANTHEON","members":["pDP1g5nVaatAuwQ42v/kvlTq0dTRKHBQLxEMRRvBmgk=","p89ipRJzzHss8bTBp95YIk9y5FVjy1OEb2lp1LHpSS8="]}]

This returns our privacy group with the details we included in it.
Now you can start sending private transactions to that privacy group id, using the EEA's privacy options, by assigning privateFor nodes. Or by using Besu's extended privacy features and sending the transaction to that private group Id.

Shortcuts

besu-sample-networks

besu-sample-networks is a PegaSys quick-start repo which will help you quickly get up and running with most types of ethereum networks.

besu-sample-networks allows you to run a privacy-enabled network with the run-privacy.sh script. This script will run 3 Besu instances, 3 Orion instances as well as monitoring and querying endpoints, such as GraphQL and Grafana.

To do this, simply clone the repo in the folder of your choice, and run the script as follows.

git clone https://github.com/PegaSysEng/besu-sample-networks
cd besu-sample-networks
./run-privacy.sh
Network Config Tool

PegaSys' Network Config Tool gives users a clear and easy path to follow in order to start a samle blockchain network. Its web GUI forms collect answers in order to determine what configuration files you will need for your network.

Clone and install it:

git clone git@github.com:PegaSysEng/network-config-tool.git
cd network-config-tool
npm install --prefix client
npm install
npm start

Once running, npm will auto-launch a webpage in your default browser pointing to localhost:3000.

Warning: Do not use this tool in production yet. Wait until an official release and read the information given in the repository README.

The Network Config Tool requires npm.

Github repo

I've created a repository with besu folders and files with the needed configuration for this tutorial.

git clone https://github.com/faraggi/besu-network-files

The repo contains:

  • IBFT genesis.json file
  • 3 Node-X folders
  • corresponding data folders with public and private keys
  • corresponding Orion folders with public and private keys and orion configuration file
  • a web3js-eea-keys.js file to use it in place of the standard web3js-eea/example/keys.js file

You can now continue with the steps in Running Privacy.

Created with Sketch.Content is"CC-BY-SA 4.0" licensed
Article Author

Felipe Faraggi

Developer Evangelist

6

0

1

0 Comments
Related Articles