Private network command line options
This reference describes the syntax of the Hyperledger Besu private network command line interface (CLI) options.
Attention
This reference contains options that apply to only private networks. For options that apply to both private and public networks, see the public network options reference.
Specify options
You can specify Besu options:
-
On the command line.
besu [OPTIONS] [SUBCOMMAND] -
As an environment variable. For each command line option, the equivalent environment variable is:
- Uppercase.
_replaces-.- Has a
BESU_prefix.
For example, set --miner-coinbase using the BESU_MINER_COINBASE environment variable.
- In a configuration file.
If you specify an option in more than one place, the order of priority is command line, environment variable, configuration file.
If using Bash or Z shell, you can view option suggestions by entering -- and pressing the Tab key twice.
besu --Tab+Tab
Caution
Characters such as smart quotes and long (em) hyphens don’t work in Besu command line options. Ensure quotes aren’t automatically converted to smart quotes, or double hyphens combined into em hyphens.
Options
permissions-accounts-config-file
--permissions-accounts-config-file=<FILE>
--permissions-accounts-config-file=/home/me/me_configFiles/myPermissionsFile
BESU_PERMISSIONS_ACCOUNTS_CONFIG_FILE=/home/me/me_configFiles/myPermissionsFile
permissions-accounts-config-file="/home/me/me_configFiles/myPermissionsFile"
The accounts permissions configuration file. The default is the permissions_config.toml file in the data directory.
Tip
--permissions-accounts-config-file and --permissions-nodes-config-file can use the same file.
permissions-accounts-config-file-enabled
--permissions-accounts-config-file-enabled[=<true|false>]
--permissions-accounts-config-file-enabled=true
BESU_PERMISSIONS_ACCOUNTS_CONFIG_FILE_ENABLED=true
permissions-accounts-config-file-enabled=true
Enables or disables file-based account level permissions. The default is false.
permissions-accounts-contract-address
--permissions-accounts-contract-address=<ContractAddress>
--permissions-accounts-contract-address=xyz
BESU_PERMISSIONS_ACCOUNTS_CONTRACT_ADDRESS=xyz
permissions-accounts-contract-address="xyz"
The contract address for onchain account permissioning.
permissions-accounts-contract-enabled
--permissions-accounts-contract-enabled[=<true|false>]
--permissions-accounts-contract-enabled=true
BESU_PERMISSIONS_ACCOUNTS_CONTRACT_ENABLED=true
permissions-accounts-contract-enabled=true
Enables or disables contract-based onchain account permissioning. The default is false.
permissions-nodes-config-file
--permissions-nodes-config-file=<FILE>
--permissions-nodes-config-file=/home/me/me_configFiles/myPermissionsFile
BESU_PERMISSIONS_NODES_CONFIG_FILE=/home/me/me_configFiles/myPermissionsFile
permissions-nodes-config-file="/home/me/me_configFiles/myPermissionsFile"
The nodes permissions configuration file. The default is the permissions_config.toml file in the data directory.
Tip
--permissions-nodes-config-file and --permissions-accounts-config-file can use the same file.
permissions-nodes-config-file-enabled
--permissions-nodes-config-file-enabled[=<true|false>]
--permissions-nodes-config-file-enabled=true
BESU_PERMISSIONS_NODES_CONFIG_FILE_ENABLED=true
permissions-nodes-config-file-enabled=true
Enables or disables file-based node level permissions. The default is false.
permissions-nodes-contract-address
--permissions-nodes-contract-address=<ContractAddress>
--permissions-nodes-contract-address=xyz
BESU_PERMISSIONS_NODES_CONTRACT_ADDRESS=xyz
permissions-nodes-contract-address="xyz"
The contract address for onchain node permissioning.
permissions-nodes-contract-enabled
--permissions-nodes-contract-enabled[=<true|false>]
--permissions-nodes-contract-enabled=true
BESU_PERMISSIONS_NODES_CONTRACT_ENABLED=true
permissions-nodes-contract-enabled=true
Enables or disables contract-based onchain node permissioning. The default is false.
permissions-nodes-contract-version
--permissions-nodes-contract-version=<ContractVersion>
--permissions-nodes-contract-version=2
BESU_PERMISSIONS_NODES_CONTRACT_VERSION=2
permissions-nodes-contract-version=2
Version of the EEA node permissioning interface. The default is 1.
privacy-enabled
--privacy-enabled[=<true|false>]
--privacy-enabled=false
BESU_PRIVACY_ENABLED=false
privacy-enabled=false
Enables or disables private transactions. The default is false.
privacy-marker-transaction-signing-key-file
--privacy-marker-transaction-signing-key-file=<FILE>
--privacy-marker-transaction-signing-key-file=/home/me/me_node/myPrivateKey
BESU_PRIVACY_MARKER_TRANSACTION_SIGNING_KEY_FILE=/home/me/me_node/myPrivateKey
privacy-marker-transaction-signing-key-file="/home/me/me_node/myPrivateKey"
<FILE> is the name of the private key file used to sign privacy marker transactions.
Note
This can be the same file used by --node-private-key-file, or a different key file to identify who signed the privacy marker transaction.
You must specify this option if you’re using:
- a privacy network where you pay gas. Also, the associated account must contain adequate funds.
- account permissioning and privacy. You must include the corresponding public key in the accounts allowlist.
If you do not specify this option (for example, in a free gas network), Besu signs each transaction with a different randomly generated key.
privacy-multi-tenancy-enabled
--privacy-multi-tenancy-enabled[=<true|false>]
--privacy-multi-tenancy-enabled=false
BESU_PRIVACY_MULTI_TENANCY_ENABLED=false
privacy-multi-tenancy-enabled=false
Enables or disables multi-tenancy for private transactions. The default is false.
privacy-flexible-groups-enabled
--privacy-flexible-groups-enabled[=<true|false>]
--privacy-flexible-groups-enabled=true
BESU_PRIVACY_FLEXIBLE_GROUPS_ENABLED=true
privacy-flexible-groups-enabled=true
Enables or disables flexible privacy groups. The default is false.
Deprecated syntax for this option is --privacy-onchain-groups-enabled.
privacy-public-key-file
--privacy-public-key-file=<privacyPublicKeyFile>
--privacy-public-key-file=Tessera/nodeKey.pub
BESU_PRIVACY_PUBLIC_KEY_FILE=Tessera/nodeKey.pub
privacy-public-key-file="Tessera/nodeKey.pub"
The public key of the Tessera node.
Important
You cannot specify privacy-public-key-file when --privacy-multi-tenancy-enabled is true
privacy-tls-enabled
--privacy-tls-enabled[=<true|false>]
--privacy-tls-enabled=false
BESU_PRIVACY_TLS_ENABLED=false
privacy-tls-enabled=false
Enables or disables TLS on communication with the private transaction manager. The default is false.
privacy-tls-keystore-file
--privacy-tls-keystore-file=<FILE>
--privacy--keystore-file=/home/me/me_node/key
BESU_PRIVACY_TLS_KEYSTORE_FILE=/home/me/me_node/key
privacy-tls-keystore-file="/home/me/me_node/key"
The keystore file (in PKCS #12 format) containing the private key and the certificate presented during authentication.
You must specify privacy-tls-keystore-file if --privacy-tls-enabled is true.
privacy-tls-keystore-password-file
--privacy-tls-keystore-password-file=<FILE>
--privacy-tls-keystore-password-file=/home/me/me_node/password
BESU_PRIVACY_TLS_KEYSTORE_PASSWORD_FILE=/home/me/me_node/password
privacy-tls-keystore-password-file="/home/me/me_node/password"
The path to the file containing the password to decrypt the keystore.
privacy-tls-known-enclave-file
--privacy-tls-known-enclave-file=<FILE>
--privacy-tls-known-enclave-file=/home/me/me_node/knownEnclave
BESU_PRIVACY_TLS_KNOWN_ENCLAVE_FILE=/home/me/me_node/knownEnclave
privacy-tls-known-enclave-file="/home/me/me_node/knownEnclave"
The path to the file containing the hostnames, ports, and SHA256 certificate fingerprints of the authorized privacy enclave.
privacy-url
--privacy-url=<privacyUrl>
--privacy-url=http://127.0.0.1:8888
BESU_PRIVACY_URL=http://127.0.0.1:8888
privacy-url="http://127.0.0.1:8888"
The URL on which the Tessera node is running.