**Changes:** - The `keys.keyData.passwords` field is no longer supported. Instead, use `keys.keyData.passwordFile` or utilise the [CLI password prompt](../Keys#providing-key-passwords-at-runtime) when starting the node. - Added configuration to choose alternative curves/symmetric ciphers. If no encryptor configuration is provided it will default to NaCl (see [Supporting alternative curves in Tessera](../Configuration Overview#supporting-alternative-curves-in-tessera) for more details). e.g. ``` "encryptor": { "type":"EC", "properties":{ "symmetricCipher":"AES/GCM/NoPadding", "ellipticCurve":"secp256r1", "nonceLength":"24", "sharedKeyLength":"32" } } ``` **Sample:** ```json { "useWhiteList": "boolean", "jdbc": { "url": "String", "username": "String", "password": "String" }, "serverConfigs": [ { "app": "ENCLAVE", // Defines us using a remote enclave, leave out if using built-in enclave "enabled": true, "serverAddress": "http://localhost:9081", //Where to find the remote enclave "communicationType": "REST" }, { "app": "ThirdParty", "enabled": true, "serverAddress": "http://localhost:9081", "bindingAddress": "String - url with port e.g. http://127.0.0.1:9081", "communicationType": "REST" }, { "app": "Q2T", "enabled": true, "serverAddress": "unix:/tmp/tm.ipc", "communicationType": "REST" }, { "app": "P2P", "enabled": true, "serverAddress": "http://localhost:9001", "bindingAddress": "String - url with port e.g. http://127.0.0.1:9001", "sslConfig": { "tls": "enum STRICT,OFF", "generateKeyStoreIfNotExisted": "boolean", "serverKeyStore": "Path", "serverTlsKeyPath": "Path", "serverTlsCertificatePath": "Path", "serverKeyStorePassword": "String", "serverTrustStore": "Path", "serverTrustCertificates": [ "Path..." ], "serverTrustStorePassword": "String", "serverTrustMode": "Enumeration: CA, TOFU, WHITELIST, CA_OR_TOFU, NONE", "clientKeyStore": "Path", "clientTlsKeyPath": "Path", "clientTlsCertificatePath": "Path", "clientKeyStorePassword": "String", "clientTrustStore": "Path", "clientTrustCertificates": [ "Path..." ], "clientTrustStorePassword": "String", "clientTrustMode": "Enumeration: CA, TOFU, WHITELIST, CA_OR_TOFU, NONE", "knownClientsFile": "Path", "knownServersFile": "Path" }, "communicationType": "REST" } ], "peer": [ { "url": "url e.g. http://127.0.0.1:9000/" } ], "keys": { "passwordFile": "Path", "azureKeyVaultConfig": { "url": "Azure Key Vault url" }, "hashicorpKeyVaultConfig": { "url": "Hashicorp Vault url", "approlePath": "String (defaults to 'approle' if not set)", "tlsKeyStorePath": "Path to jks key store", "tlsTrustStorePath": "Path to jks trust store" }, "keyData": [ { "config": { "data": { "aopts": { "variant": "Enum : id,d or i", "memory": "int", "iterations": "int", "parallelism": "int" }, "bytes": "String", "snonce": "String", "asalt": "String", "sbox": "String", "password": "String" }, "type": "Enum: argon2sbox or unlocked. If unlocked is defined then config data is required. " }, "privateKey": "String", "privateKeyPath": "Path", "azureVaultPrivateKeyId": "String", "azureVaultPrivateKeyVersion": "String", "publicKey": "String", "publicKeyPath": "Path", "azureVaultPublicKeyId": "String", "azureVaultPublicKeyVersion": "String", "hashicorpVaultSecretEngineName": "String", "hashicorpVaultSecretName": "String", "hashicorpVaultSecretVersion": "Integer (defaults to 0 (latest) if not set)", "hashicorpVaultPrivateKeyId": "String", "hashicorpVaultPublicKeyId": "String" } ] }, "alwaysSendTo": [ "String..." ], "unixSocketFile": "Path", "features": { "enableRemoteKeyValidation": false }, "encryptor": { "type": "Enumeration: NACL, EC", "properties":{ "symmetricCipher":"String (defaults to AES/GCM/NoPadding if type = EC)", "ellipticCurve": "String (defaults to secp256r1 if type = EC)", "nonceLength": "String (defaults to 24 if type = EC)", "sharedKeyLength": "String (defaults to 32 if type = EC)" } } } ```