Skip to main content

Private network command line options

This reference describes the syntax of the Besu private network command line interface (CLI) options.

Important

This reference contains options that apply to only private networks. For options that apply to both private and public networks, see the public network options reference.

Specify options

You can specify Besu options:

  • On the command line.

    besu [OPTIONS] [SUBCOMMAND]
  • As an environment variable. For each command line option, the equivalent environment variable is:

    • Uppercase.
    • _ replaces -.
    • Has a BESU_ prefix.

    For example, set --miner-coinbase using the BESU_MINER_COINBASE environment variable.

  • In a configuration file.

If you specify an option in more than one place, the order of priority is command line, environment variable, configuration file.

If using Bash or Z shell, you can view option suggestions by entering -- and pressing the Tab key twice.

besu --Tab+Tab
caution

Characters such as smart quotes and long (em) hyphens don't work in Besu command line options. Ensure quotes aren't automatically converted to smart quotes, or double hyphens combined into em hyphens.

Options

permissions-accounts-config-file

--permissions-accounts-config-file=<FILE>

The accounts permissions configuration file. The default is the permissions_config.toml file in the data directory.

tip

--permissions-accounts-config-file and --permissions-nodes-config-file can use the same file.

permissions-accounts-config-file-enabled

--permissions-accounts-config-file-enabled[=<true|false>]

Enables or disables file-based account level permissions. The default is false.

permissions-accounts-contract-address (Deprecated)

--permissions-accounts-contract-address=<ContractAddress>

The contract address for onchain account permissioning.

permissions-accounts-contract-enabled (Deprecated)

--permissions-accounts-contract-enabled[=<true|false>]

Enables or disables contract-based onchain account permissioning. The default is false.

caution

Onchain permissioning is deprecated in Besu version 24.12.0 and later. Please read this blog post for more context on the rationale behind this decision as well as alternative options.

permissions-nodes-config-file

--permissions-nodes-config-file=<FILE>

The nodes permissions configuration file. The default is the permissions_config.toml file in the data directory.

tip

--permissions-nodes-config-file and --permissions-accounts-config-file can use the same file.

permissions-nodes-config-file-enabled

--permissions-nodes-config-file-enabled[=<true|false>]

Enables or disables file-based node level permissions. The default is false.

permissions-nodes-contract-address (Deprecated)

--permissions-nodes-contract-address=<ContractAddress>

The contract address for onchain node permissioning.

permissions-nodes-contract-enabled (Deprecated)

--permissions-nodes-contract-enabled[=<true|false>]

Enables or disables contract-based onchain node permissioning. The default is false.

caution

Onchain permissioning is deprecated in Besu version 24.12.0 and later. Please read this blog post for more context on the rationale behind this decision as well as alternative options.

permissions-nodes-contract-version (Deprecated)

--permissions-nodes-contract-version=<ContractVersion>

Version of the EEA node permissioning interface. The default is 1.

poa-block-txs-selection-max-time

--poa-block-txs-selection-max-time=<INTEGER>

The maximum time that can be spent selecting transactions to be included in a block, as a percentage of the fixed block time of the network. The default is 75, or 75%.

note

This option only applies to proof-of-authority networks. For proof-of-stake and proof-of-work networks, see --block-txs-selection-max-time.

privacy-enabled (Deprecated)

--privacy-enabled[=<true|false>]

Enables or disables private transactions. The default is false.

caution

Tessera-based privacy is deprecated in Besu version 24.12.0 and later. Please read this blog post for more context on the rationale behind this decision as well as alternative options.

important

Using private transactions with pruning or fast sync is not supported.

privacy-marker-transaction-signing-key-file (Deprecated)

--privacy-marker-transaction-signing-key-file=<FILE>

<FILE> is the name of the private key file used to sign privacy marker transactions.

note

This can be the same file used by --node-private-key-file, or a different key file to identify who signed the privacy marker transaction.

You must specify this option if you're using:

  • a privacy network where you pay gas. Also, the associated account must contain adequate funds.
  • account permissioning and privacy. You must include the corresponding public key in the accounts allowlist.

If you do not specify this option (for example, in a free gas network), Besu signs each transaction with a different randomly generated key.

privacy-multi-tenancy-enabled (Deprecated)

--privacy-multi-tenancy-enabled[=<true|false>]

Enables or disables multi-tenancy for private transactions. The default is false.

privacy-flexible-groups-enabled (Deprecated)

--privacy-flexible-groups-enabled[=<true|false>]

Enables or disables flexible privacy groups. The default is false.

Deprecated syntax for this option is --privacy-onchain-groups-enabled.

privacy-public-key-file (Deprecated)

--privacy-public-key-file=<privacyPublicKeyFile>

The public key of the Tessera node.

important

You cannot specify privacy-public-key-file when --privacy-multi-tenancy-enabled is true

privacy-tls-enabled (Deprecated)

--privacy-tls-enabled[=<true|false>]

Enables or disables TLS on communication with the private transaction manager. The default is false.

privacy-tls-keystore-file (Deprecated)

--privacy-tls-keystore-file=<FILE>

The keystore file (in PKCS #12 format) containing the private key and the certificate presented during authentication.

You must specify privacy-tls-keystore-file if --privacy-tls-enabled is true.

privacy-tls-keystore-password-file (Deprecated)

--privacy-tls-keystore-password-file=<FILE>

The path to the file containing the password to decrypt the keystore.

privacy-tls-known-enclave-file (Deprecated)

--privacy-tls-known-enclave-file=<FILE>

The path to the file containing the hostnames, ports, and SHA256 certificate fingerprints of the authorized privacy enclave.

privacy-url (Deprecated)

--privacy-url=<privacyUrl>

The URL on which the Tessera node is running.