Skip to content
/ vault-plugin-solana Public

Vault plugin for secure authentication, creation, management, and usage of Solana wallet keypairs

License

MPL-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

callensm/vault-plugin-solana

BranchesTags

Repository files navigation

Vault Plugin - Solana

Offchain Message Auth and Keypair Secrets Backend

Releases Tests License

This repository contains Vault plugin backends for both authentication and secrets engine functionality for Solana wallet keypairs.

Downloads

The binaries and associated SHA256 sums for both plugin backends are prebuilt and uploaded in the repository releases for easy access and downloading. You can alternative build from source for your specific environment as well.

Important

If the execution environment is MacOs (darwin) and using the prebuilt binaries, then you'll likely have to adjust the Apple Quarantine attribute on binaries being used to allow execution because of the lack of Apple codesigning on the builds.

$ xattr -d com.apple.quarantine vault-plugin-<TYPE>-solana

Auth Backend

Setup

$ vault plugin register \
    -sha256=$(shasum -a 256 vault-plugin-auth-solana | cut -d ' ' -f1) \
    auth \
    vault-plugin-auth-solana

$ vault auth enable -path=solana vault-plugin-auth-solana

Usage

Authenticating with Vault using Solana offchain message verification is a 3 step process.

1. Generate a random message/nonce to sign

$ MESSAGE=$(vault write -format=json auth/<MOUNT>/nonce public_key="<PUBKEY>" | jq -r .data.nonce)

2. Sign the message with your keypair

$ SIGNATURE=$(solana sign-offchain-message --output json $MESSAGE)

3. Login and verify with Vault

$ vault write auth/<MOUNT>/login public_key="<PUBKEY>" signature="$SIGNATURE"

Note

This signature verification recreates the Solana V0 offchain message header preamble prior to verification to ensure compatibility with the signing/message standard used by the Solana CLI and SDKs.

Secrets Backend

Setup

$ vault plugin register \
    -sha256=$(shasum -a 256 vault-plugin-secrets-solana | cut -d ' ' -f1) \
    secret \
    vault-plugin-secrets-solana

$ vault secrets enable -path=solana vault-plugin-secrets-solana

Usage

Generate and store a new Solana wallet

$ vault write -force <mount>/wallet/my-wallet

Import an existing private key

$ vault write <mount>/wallet/my-wallet private_key="<BASE-58 PRIVKEY>"

List all stored wallets IDs

$ vault list <mount>/wallets

Read public and private key material in base-58

$ vault read <mount>/wallet/my-wallet

Read only the base-58 public key

$ vault read <mount>/wallet/my-wallet/pubkey

Sign a message

By default this message is signed after being wrapped with the Solana V0 offchain message preamble. You can disable the offchain preamble and do a raw message signature by setting offchain=false.

$ vault write <mount>/wallet/my-wallet/message/sign message="my message body to sign" offchain=<bool>

Verify a message signature

Similarly with the signing write operation, you can disable the Solana V0 offchain message preamble during verification by setting offchain=false.

$ vault write <mount>/wallet/my-wallet/message/verify message="my message body to sign" signature="<BASE-58 SIGNATURE>" offchain=<bool>

Build Source

The included Makefile in the repository contains a target to build the two backend binaries.

$ make build

This will produce the backend binaries at ./buld/plugins/vault-plugin-<TYPE>-solana to be used with the Vault server.

About

Vault plugin for secure authentication, creation, management, and usage of Solana wallet keypairs

Topics

golang vault blockchain wallet hashicorp-vault vault-plugins solana

Resources

Readme

License

MPL-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.1.0 Latest
Jan 19, 2026

Languages