Skip to content
You are reading Hyperledger Besu development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Updated on September 4, 2020

Onchain Privacy Groups

Onchain privacy groups use smart contracts to store and maintain the group membership. You can add and remove members to and from onchain privacy groups.


Onchain privacy groups are an early access feature. Do not use in production networks.

Onchain privacy groups are not supported with multi-tenancy.

The onchain privacy group interfaces might change between releases. There might not be an upgrade path from onchain privacy groups created using v1.4 to enable use of onchain privacy group functionality in future versions.

It’s not recommended to create onchain privacy groups in a chain with existing offchain privacy groups.

Group Management Contracts

The privacy group management contract bytecode is hard-coded into Hyperledger Besu and when you create a privacy group, the contract bytecode is part of the genesis state of the privacy group.


All members of an onchain privacy group must be using the same version of Hyperledger Besu. If using different versions, the private state within the privacy group may become inconsistent.

In the default implementation of the group management contract, the signer of the private transaction that creates the privacy group is also the owner of the group. Only the owner can add and remove participants, and upgrade the management contract.

The owner is identified by the signing key. Transactions to add and remove participants, or upgrade the management contract, must be signed by the same key that signed the group creation transaction.

Onchain Privacy Group IDs

When creating an onchain privacy group, generate the privacy group ID for the group outside of Besu and pass the ID as a parameter.

The web3js-eea library generates a unique privacy group ID and passes the ID to Besu when creating a privacy group.


When generating a privacy group ID, you must ensure the ID is unique across all network participants. If you create a privacy group with an existing privacy group ID, the existing privacy group is overwritten.

To ensure unique privacy group IDs, using 256-bit SecureRandom is recommended.

Questions or feedback? You can discuss issues and obtain free support on Hyperledger Besu chat channel.
For Hyperledger Besu community support, contact the mailing list