Skip to content
You are reading Hyperledger Besu development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.
Date of last update: September 7, 2022

Private network command line options

This reference describes the syntax of the Hyperledger Besu private network command line interface (CLI) options.

Attention

This reference contains options that apply to only private networks. For options that apply to both private and public networks, see the public network options reference.

Specify options

You can specify Besu options:

  • On the command line.

    besu [OPTIONS] [SUBCOMMAND]
    
  • As an environment variable. For each command line option, the equivalent environment variable is:

    • Uppercase.
    • _ replaces -.
    • Has a BESU_ prefix.

For example, set --miner-coinbase using the BESU_MINER_COINBASE environment variable.

If you specify an option in more than one place, the order of priority is command line, environment variable, configuration file.

If using Bash or Z shell, you can view option suggestions by entering -- and pressing the Tab key twice.

besu --Tab+Tab

Options

permissions-accounts-config-file

--permissions-accounts-config-file=<FILE>
--permissions-accounts-config-file=/home/me/me_configFiles/myPermissionsFile
BESU_PERMISSIONS_ACCOUNTS_CONFIG_FILE=/home/me/me_configFiles/myPermissionsFile
permissions-accounts-config-file="/home/me/me_configFiles/myPermissionsFile"

The accounts permissions configuration file. The default is the permissions_config.toml file in the data directory.

Tip

--permissions-accounts-config-file and --permissions-nodes-config-file can use the same file.

permissions-accounts-config-file-enabled

--permissions-accounts-config-file-enabled[=<true|false>]
--permissions-accounts-config-file-enabled=true
BESU_PERMISSIONS_ACCOUNTS_CONFIG_FILE_ENABLED=true
permissions-accounts-config-file-enabled=true

Enables or disables file-based account level permissions. The default is false.

permissions-accounts-contract-address

--permissions-accounts-contract-address=<ContractAddress>
--permissions-accounts-contract-address=xyz
BESU_PERMISSIONS_ACCOUNTS_CONTRACT_ADDRESS=xyz
permissions-accounts-contract-address="xyz"

The contract address for onchain account permissioning.

permissions-accounts-contract-enabled

--permissions-accounts-contract-enabled[=<true|false>]
--permissions-accounts-contract-enabled=true
BESU_PERMISSIONS_ACCOUNTS_CONTRACT_ENABLED=true
permissions-accounts-contract-enabled=true

Enables or disables contract-based onchain account permissioning. The default is false.

permissions-nodes-config-file

--permissions-nodes-config-file=<FILE>
--permissions-nodes-config-file=/home/me/me_configFiles/myPermissionsFile
BESU_PERMISSIONS_NODES_CONFIG_FILE=/home/me/me_configFiles/myPermissionsFile
permissions-nodes-config-file="/home/me/me_configFiles/myPermissionsFile"

The nodes permissions configuration file. The default is the permissions_config.toml file in the data directory.

Tip

--permissions-nodes-config-file and --permissions-accounts-config-file can use the same file.

permissions-nodes-config-file-enabled

--permissions-nodes-config-file-enabled[=<true|false>]
--permissions-nodes-config-file-enabled=true
BESU_PERMISSIONS_NODES_CONFIG_FILE_ENABLED=true
permissions-nodes-config-file-enabled=true

Enables or disables file-based node level permissions. The default is false.

permissions-nodes-contract-address

--permissions-nodes-contract-address=<ContractAddress>
--permissions-nodes-contract-address=xyz
BESU_PERMISSIONS_NODES_CONTRACT_ADDRESS=xyz
permissions-nodes-contract-address="xyz"

The contract address for onchain node permissioning.

permissions-nodes-contract-enabled

--permissions-nodes-contract-enabled[=<true|false>]
--permissions-nodes-contract-enabled=true
BESU_PERMISSIONS_NODES_CONTRACT_ENABLED=true
permissions-nodes-contract-enabled=true

Enables or disables contract-based onchain node permissioning. The default is false.

permissions-nodes-contract-version

--permissions-nodes-contract-version=<ContractVersion>
--permissions-nodes-contract-version=2
BESU_PERMISSIONS_NODES_CONTRACT_VERSION=2
permissions-nodes-contract-version=2

Version of the EEA node permissioning interface. The default is 1.

privacy-enabled

--privacy-enabled[=<true|false>]
--privacy-enabled=false
BESU_PRIVACY_ENABLED=false
privacy-enabled=false

Enables or disables private transactions. The default is false.

Important

Using private transactions with pruning or fast sync is not supported.

privacy-marker-transaction-signing-key-file

--privacy-marker-transaction-signing-key-file=<FILE>
--privacy-marker-transaction-signing-key-file=/home/me/me_node/myPrivateKey
BESU_PRIVACY_MARKER_TRANSACTION_SIGNING_KEY_FILE=/home/me/me_node/myPrivateKey
privacy-marker-transaction-signing-key-file="/home/me/me_node/myPrivateKey"

<FILE> is the name of the private key file used to sign privacy marker transactions.

Note

This can be the same file used by --node-private-key-file, or a different key file to identify who signed the privacy marker transaction.

You must specify this option if you’re using:

  • a privacy network where you pay gas. Also, the associated account must contain adequate funds.
  • account permissioning and privacy. You must include the corresponding public key in the accounts allowlist.

If you do not specify this option (for example, in a free gas network), Besu signs each transaction with a different randomly generated key.

privacy-multi-tenancy-enabled

--privacy-multi-tenancy-enabled[=<true|false>]
--privacy-multi-tenancy-enabled=false
BESU_PRIVACY_MULTI_TENANCY_ENABLED=false
privacy-multi-tenancy-enabled=false

Enables or disables multi-tenancy for private transactions. The default is false.

privacy-flexible-groups-enabled

--privacy-flexible-groups-enabled[=<true|false>]
--privacy-flexible-groups-enabled=true
BESU_PRIVACY_FLEXIBLE_GROUPS_ENABLED=true
privacy-flexible-groups-enabled=true

Enables or disables flexible privacy groups. The default is false.

Deprecated syntax for this option is --privacy-onchain-groups-enabled.

privacy-public-key-file

--privacy-public-key-file=<privacyPublicKeyFile>
--privacy-public-key-file=Tessera/nodeKey.pub
BESU_PRIVACY_PUBLIC_KEY_FILE=Tessera/nodeKey.pub
privacy-public-key-file="Tessera/nodeKey.pub"

The public key of the Tessera node.

Important

You cannot specify privacy-public-key-file when --privacy-multi-tenancy-enabled is true

privacy-tls-enabled

--privacy-tls-enabled[=<true|false>]
--privacy-tls-enabled=false
BESU_PRIVACY_TLS_ENABLED=false
privacy-tls-enabled=false

Enables or disables TLS on communication with the private transaction manager. The default is false.

privacy-tls-keystore-file

--privacy-tls-keystore-file=<FILE>
--privacy--keystore-file=/home/me/me_node/key
BESU_PRIVACY_TLS_KEYSTORE_FILE=/home/me/me_node/key
privacy-tls-keystore-file="/home/me/me_node/key"

The keystore file (in PKCS #12 format) containing the private key and the certificate presented during authentication.

You must specify privacy-tls-keystore-file if --privacy-tls-enabled is true.

privacy-tls-keystore-password-file

--privacy-tls-keystore-password-file=<FILE>
--privacy-tls-keystore-password-file=/home/me/me_node/password
BESU_PRIVACY_TLS_KEYSTORE_PASSWORD_FILE=/home/me/me_node/password
privacy-tls-keystore-password-file="/home/me/me_node/password"

The path to the file containing the password to decrypt the keystore.

privacy-tls-known-enclave-file

--privacy-tls-known-enclave-file=<FILE>
--privacy-tls-known-enclave-file=/home/me/me_node/knownEnclave
BESU_PRIVACY_TLS_KNOWN_ENCLAVE_FILE=/home/me/me_node/knownEnclave
privacy-tls-known-enclave-file="/home/me/me_node/knownEnclave"

The path to the file containing the hostnames, ports, and SHA256 certificate fingerprints of the authorized privacy enclave.

privacy-url

--privacy-url=<privacyUrl>
--privacy-url=http://127.0.0.1:8888
BESU_PRIVACY_URL=http://127.0.0.1:8888
privacy-url="http://127.0.0.1:8888"

The URL on which the Tessera node is running.