Skip to Content
Technical Articles
Author's profile photo Ferry Djaja

Apply Asymmetric Encryption in Chaincode

In this blog, we’ll learn how to implement simple asymmetric key encryption with public and private key in chaincode app in SAP Hyperledger Fabric. Using the example in this blog  may not be an ideal solution to implement in the real scenario, but let’s test and see the functionality.

The functionality and code structures are based on the SAP help Use End-to-End Encryption in Chaincode with slight modifications.

Create chaincode app

Create a chaincode app in Go to handle the encryption-description with Go RSA lib.

I have prepared the chaincode app to perform the encrypt/decrypt with the supplied public and private key from the transient field.

case "ENCRYPT":
        if _, in := tMap[ENCKEY]; !in {
           return shim.Error(fmt.Sprintf("Expected transient encryption key %s", ENCKEY))

	encKey := string(tMap[ENCKEY])

        if _, ok := tMap[KEY]; !ok {
           return Error(http.StatusBadRequest, "Cannot find state key")
        if _, ok := tMap[VALUE]; !ok {
   	   return Error(http.StatusBadRequest, "Cannot find state value")

	args := []string{string(tMap[KEY]), string(tMap[VALUE])}

	return cc.RsaEncrypt(stub, args[0:], encKey)

      case "DECRYPT":
        if _, in := tMap[DECKEY]; !in {
           return shim.Error(fmt.Sprintf("Expected transient decryption key %s", DECKEY))
	decKey := string(tMap[DECKEY])

        if _, ok := tMap[KEY]; !ok {
	   return Error(http.StatusBadRequest, "Cannot find state key")

        args := []string{string(tMap[KEY])}

        return cc.RsaDecrypt(stub, args[0:], decKey)

Install the chaincode

Install and instantiate.

Call the chaincode with SAP API Hub

  • Navigate to Channel and select Service Key.
  • Expand the Service Key and write down the clientId, clientSecret and identityZone.
  • Navigate to Chaincode and write down the Chaincode ID.
  • Navigate to API.
  • On the SAP API Business Hub screen, select Configure Environments.
  • From the information we gathered, fill in the required information below and save it.
  • Select the environment that we just created and select POST /chaincodes/{chaincodeId}/{version}/invoke.
  • Select Try out.
  • To generate public and private key, install the openSSL command line and run the following to generate:
    Private key:

    openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -out key.pem​

    Public key:

    openssl rsa -in key.pem  -pubout > key-pub.pem​

  • Open the generated file pem files and replace the new line characters with \r\n.

Perform Encryption

Fill in the required information:

  • chaincodeId,
  • version (we can just put with “latest”).
  • Body with this JSON object. Fill in the ENCKEY field with the information from public key key-pub.pem.
      "function": "ENCRYPT",
      "arguments": [],
      "transient": {
        "key": "10008",
        "value": "Hello RSA Encryption",
        "ENCKEY": "<!!Replace with data from key-pub.pem!!>"

  • Click Execute, if there is no error, you will see the transaction Id and response code “OK”.
  • Navigate to Explore and verify the transaction ID.

Perform Decryption

Fill in the required information:

  • chaincodeId,
  • version (we can just put with “latest”).
  • Body with this JSON object. Fill in the ENCKEY field with the information from private key key.pem.
      "function": "DECRYPT",
      "arguments": [],
      "transient": {
        "key": "10008",
        "DECKEY": <!!Replace with data from key.pem!!>"

  • Click Execute, if no error, you will get the decrypted message.
  • Verify the transaction id created in Explorer.


Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Michael Davison
      Michael Davison

      In Fabric, how the key used for data encryption is supposed to be shared?

      With FAB-830 implemented in Fabric v1.1, it is now possible for the chain code to encrypt the data stored in the state. The idea is: the symmetric encryption key is passed as a transient parameter and is therefore only known to the endorsers. This allows to run business logic on clear data and upsert encrypted data (such on-chain encryption is impossible in Ethereum and most other blockchains AFAIK).

      The part I still miss is: how the organizations which are supposed to share the secret get to know the symmetric key?

      Also, even if the endorser get the transient key from the sender as part of the transaction proposal, is there any out-of-the-box way to store it?


      Thanks & Regards

      Ask For Verizon Help