added deprecation notice to CLI options for privacy (#1734)

* added deprecation notice to CLI options for privacy

Signed-off-by: Sally MacFarlane <[email protected]>

* fix links

Signed-off-by: Alexandra Tran <[email protected]>

---------

Signed-off-by: Sally MacFarlane <[email protected]>
Signed-off-by: Alexandra Tran <[email protected]>
Co-authored-by: Alexandra Tran <[email protected]>
Co-authored-by: Alexandra Carrillo <[email protected]>

docs/private-networks/concepts/permissioning/onchain.md

@@ -48,7 +48,7 @@ Permissioning implements three allowlists:
 
 Account permissioning is incompatible with [random key signing](../../how-to/use-privacy/sign-pmts.md) for [privacy marker transactions](../privacy/private-transactions/processing.md).
 
-If using account permissioning and privacy, a signing key must be specified using the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file) command line option and the corresponding public key included in the accounts allowlist.
+If using account permissioning and privacy, a signing key must be specified using the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file-deprecated) command line option and the corresponding public key included in the accounts allowlist.
 
 :::
 

docs/private-networks/concepts/privacy/private-transactions/index.md

@@ -72,7 +72,7 @@ The following private transaction flow illustrates when nonce validation occurs:
 
 1. Submit a private transaction with a [nonce value](#private-transaction-nonce).
 1. The private transaction is distributed to all participants in the privacy group.
-1. The PMT is created and submitted to the transaction pool with a nonce of `0` if using one-time accounts. If using a specific account with [`--privacy-marker-transaction-signing-key-file`](../../../reference/cli/options.md#privacy-marker-transaction-signing-key-file), the public nonce for that account is obtained and used for the PMT.
+1. The PMT is created and submitted to the transaction pool with a nonce of `0` if using one-time accounts. If using a specific account with [`--privacy-marker-transaction-signing-key-file`](../../../reference/cli/options.md#privacy-marker-transaction-signing-key-file-deprecated), the public nonce for that account is obtained and used for the PMT.
 1. The PMT is mined and included in the block.
 1. After the block containing the PMT is imported, and the PMT is processed, the private transaction is retrieved from the private transaction manager and executed.
 

docs/private-networks/how-to/configure/tls/client-and-server.md

@@ -120,10 +120,10 @@ besu --privacy-tls-enabled --privacy-tls-keystore-file=/Users/me/my_node/keystor
 
 The command line:
 
-- Enables TLS with the server using the [`--privacy-tls-enabled`](../../../reference/cli/options.md#privacy-tls-enabled) option.
-- Specifies the keystore using the [`--privacy-tls-keystore-file`](../../../reference/cli/options.md#privacy-tls-keystore-file) option.
-- Specifies the file that contains the password to decrypt the keystore using the [`--privacy-tls-keystore-password-file`](../../../reference/cli/options.md#privacy-tls-keystore-password-file) option.
-- Specifies the trusted servers using the [`--privacy-tls-known-enclave-file`](../../../reference/cli/options.md#privacy-tls-known-enclave-file) option.
+- Enables TLS with the server using the [`--privacy-tls-enabled`](../../../reference/cli/options.md#privacy-tls-enabled-deprecated) option.
+- Specifies the keystore using the [`--privacy-tls-keystore-file`](../../../reference/cli/options.md#privacy-tls-keystore-file-deprecated) option.
+- Specifies the file that contains the password to decrypt the keystore using the [`--privacy-tls-keystore-password-file`](../../../reference/cli/options.md#privacy-tls-keystore-password-file-deprecated) option.
+- Specifies the trusted servers using the [`--privacy-tls-known-enclave-file`](../../../reference/cli/options.md#privacy-tls-known-enclave-file-deprecated) option.
 
 <!-- Links -->
 

docs/private-networks/how-to/use-permissioning/local.md

@@ -100,7 +100,7 @@ Account allowlisting is at the node level. That is, each node in the network has
 
 Account permissioning is incompatible with [random key signing](../use-privacy/sign-pmts.md) for [privacy marker transactions](../../concepts/privacy/private-transactions/processing.md).
 
-If using account permissioning and privacy, a signing key must be specified using the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file) command line option and the corresponding public key included in the accounts allowlist.
+If using account permissioning and privacy, a signing key must be specified using the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file-deprecated) command line option and the corresponding public key included in the accounts allowlist.
 
 :::
 

docs/private-networks/how-to/use-privacy/flexible.md

@@ -34,7 +34,7 @@ We don't recommend creating flexible privacy groups in a chain with existing [of
 
 ## Enable flexible privacy groups
 
-Use the [`--privacy-flexible-groups-enabled`](../../reference/cli/options.md#privacy-flexible-groups-enabled) command line option to enable [flexible privacy groups](../../concepts/privacy/flexible-privacy.md). When flexible privacy groups are enabled, the [`priv_createPrivacyGroup`](../../reference/api/index.md#priv_createprivacygroup), [`priv_deletePrivacyGroup`](../../reference/api/index.md#priv_deleteprivacygroup), and [`priv_findPrivacyGroup`](../../reference/api/index.md#priv_findprivacygroup) methods for [offchain privacy groups](../../concepts/privacy/privacy-groups.md) are disabled.
+Use the [`--privacy-flexible-groups-enabled`](../../reference/cli/options.md#privacy-flexible-groups-enabled-deprecated) command line option to enable [flexible privacy groups](../../concepts/privacy/flexible-privacy.md). When flexible privacy groups are enabled, the [`priv_createPrivacyGroup`](../../reference/api/index.md#priv_createprivacygroup), [`priv_deletePrivacyGroup`](../../reference/api/index.md#priv_deleteprivacygroup), and [`priv_findPrivacyGroup`](../../reference/api/index.md#priv_findprivacygroup) methods for [offchain privacy groups](../../concepts/privacy/privacy-groups.md) are disabled.
 
 ## Simple flexible privacy group example
 

docs/private-networks/how-to/use-privacy/performance-best-practices.md

@@ -50,7 +50,7 @@ For performance and reliability it is advantageous to manage nonces in a statefu
 
 ### Use random senders for privacy marker transactions
 
-To avoid public nonce management, privacy marker transactions can be sent using a [random account per transaction](../../../private-networks/reference/cli/options.md#privacy-marker-transaction-signing-key-file). This option is only available for zero gas networks.
+To avoid public nonce management, privacy marker transactions can be sent using a [random account per transaction](../../../private-networks/reference/cli/options.md#privacy-marker-transaction-signing-key-file-deprecated). This option is only available for zero gas networks.
 
 ### Avoid queuing transactions in Tessera
 

docs/private-networks/how-to/use-privacy/sign-pmts.md

@@ -14,7 +14,7 @@ Tessera-based privacy is deprecated in Besu version 24.11.0 and later. Please re
 
 :::
 
-You can sign privacy marker transactions (PMTs) with either a random key or a specified key. To sign privacy marker transactions with a specified private key, use [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file) when starting Besu.
+You can sign privacy marker transactions (PMTs) with either a random key or a specified key. To sign privacy marker transactions with a specified private key, use [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file-deprecated) when starting Besu.
 
 :::note
 
@@ -24,13 +24,13 @@ The private key file can be the same file used by [`--node-private-key-file`](#n
 
 In networks where you pay gas, you must specify a key and the associated account must contain adequate funds.
 
-In [free gas networks](../configure/free-gas.md), to provide further anonymity by signing each privacy marker transaction with a different random key, exclude the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file) command line option when starting Besu.
+In [free gas networks](../configure/free-gas.md), to provide further anonymity by signing each privacy marker transaction with a different random key, exclude the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file-deprecated) command line option when starting Besu.
 
 :::caution "Using account permissioning and privacy"
 
 You can't use [account permissioning] with random key signing.
 
-If using account permissioning and privacy, a signing key must be specified using the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file) command line option and the corresponding public key included in the accounts allowlist.
+If using account permissioning and privacy, a signing key must be specified using the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file-deprecated) command line option and the corresponding public key included in the accounts allowlist.
 
 :::
 

docs/private-networks/reference/api/index.md

@@ -1809,7 +1809,7 @@ curl -X POST --data '{"jsonrpc": "2.0","method": "priv_getLogs","params":["vGy/T
 
 ### `priv_getPrivacyPrecompileAddress`
 
-Returns the address of the [privacy precompiled contract](../../concepts/privacy/private-transactions/processing.md). The address is derived and based on the value of the [`privacy-flexible-groups-enabled`](../cli/options.md#privacy-flexible-groups-enabled) option.
+Returns the address of the [privacy precompiled contract](../../concepts/privacy/private-transactions/processing.md). The address is derived and based on the value of the [`privacy-flexible-groups-enabled`](../cli/options.md#privacy-flexible-groups-enabled-deprecated) option.
 
 #### Parameters
 

docs/private-networks/reference/cli/options.md

@@ -475,7 +475,7 @@ For proof-of-stake and proof-of-work networks, see
 [`--block-txs-selection-max-time`](../../../public-networks/reference/cli/options.md#block-txs-selection-max-time).
 :::
 
-### `privacy-enabled`
+### `privacy-enabled` (Deprecated)
 
 <Tabs>
 
@@ -515,13 +515,19 @@ privacy-enabled=false
 
 Enables or disables [private transactions](../../concepts/privacy/index.md). The default is `false`.
 
+:::caution
+
+Tessera-based privacy is deprecated in Besu version 24.11.0 and later. Please read this [blog post](https://www.lfdecentralizedtrust.org/blog/sunsetting-tessera-and-simplifying-hyperledger-besu) for more context on the rationale behind this decision as well as alternative options.
+
+:::
+
 :::important
 
 Using private transactions with [pruning](../../../public-networks/concepts/data-storage-formats.md) or [fast sync](../../../public-networks/reference/cli/options.md#sync-mode) is not supported.
 
 :::
 
-### `privacy-marker-transaction-signing-key-file`
+### `privacy-marker-transaction-signing-key-file` (Deprecated)
 
 <Tabs>
 
@@ -574,7 +580,7 @@ You must specify this option if you're using:
 
 If you do not specify this option (for example, in a free gas network), Besu signs each transaction with a different randomly generated key.
 
-### `privacy-multi-tenancy-enabled`
+### `privacy-multi-tenancy-enabled` (Deprecated)
 
 <Tabs>
 
@@ -614,7 +620,7 @@ privacy-multi-tenancy-enabled=false
 
 Enables or disables [multi-tenancy](../../concepts/privacy/multi-tenancy.md) for private transactions. The default is `false`.
 
-### `privacy-flexible-groups-enabled`
+### `privacy-flexible-groups-enabled` (Deprecated)
 
 <Tabs>
 
@@ -656,7 +662,7 @@ Enables or disables [flexible privacy groups](../../concepts/privacy/flexible-pr
 
 Deprecated syntax for this option is `--privacy-onchain-groups-enabled`.
 
-### `privacy-public-key-file`
+### `privacy-public-key-file` (Deprecated)
 
 <Tabs>
 
@@ -698,11 +704,11 @@ The [public key of the Tessera node](https://docs.tessera.consensys.net/).
 
 :::important
 
-You cannot specify `privacy-public-key-file` when [`--privacy-multi-tenancy-enabled`](#privacy-multi-tenancy-enabled) is `true`
+You cannot specify `privacy-public-key-file` when [`--privacy-multi-tenancy-enabled`](#privacy-multi-tenancy-enabled-deprecated) is `true`
 
 :::
 
-### `privacy-tls-enabled`
+### `privacy-tls-enabled` (Deprecated)
 
 <Tabs>
 
@@ -742,7 +748,7 @@ privacy-tls-enabled=false
 
 Enables or disables [TLS on communication with the private transaction manager]. The default is false.
 
-### `privacy-tls-keystore-file`
+### `privacy-tls-keystore-file` (Deprecated)
 
 <Tabs>
 
@@ -782,9 +788,9 @@ privacy-tls-keystore-file="/home/me/me_node/key"
 
 The keystore file (in PKCS #12 format) containing the private key and the certificate presented during authentication.
 
-You must specify `privacy-tls-keystore-file` if [`--privacy-tls-enabled`](#privacy-tls-enabled) is `true`.
+You must specify `privacy-tls-keystore-file` if [`--privacy-tls-enabled`](#privacy-tls-enabled-deprecated) is `true`.
 
-### `privacy-tls-keystore-password-file`
+### `privacy-tls-keystore-password-file` (Deprecated)
 
 <Tabs>
 
@@ -824,7 +830,7 @@ privacy-tls-keystore-password-file="/home/me/me_node/password"
 
 The path to the file containing the password to decrypt the keystore.
 
-### `privacy-tls-known-enclave-file`
+### `privacy-tls-known-enclave-file` (Deprecated)
 
 <Tabs>
 
@@ -864,7 +870,7 @@ privacy-tls-known-enclave-file="/home/me/me_node/knownEnclave"
 
 The path to the file containing the hostnames, ports, and SHA256 certificate fingerprints of the [authorized privacy enclave](../../how-to/configure/tls/client-and-server.md#create-the-known-servers-file).
 
-### `privacy-url`
+### `privacy-url` (Deprecated)
 
 <Tabs>
 

docs/private-networks/tutorials/privacy/index.md

@@ -363,14 +363,14 @@ besu --data-path=data --genesis-file=..\genesis.json --rpc-http-enabled --rpc-ht
 
 The command line specifies privacy options:
 
-- [`--privacy-enabled`](../../reference/cli/options.md#privacy-enabled) enables privacy.
-- [`--privacy-url`](../../reference/cli/options.md#privacy-url) specifies the Q2T server address of the Tessera node (`Q2T` in `tessera.conf`).
-- [`--privacy-public-key-file`](../../reference/cli/options.md#privacy-public-key-file) specifies the file containing Tessera node public key (created in [3. Generate Tessera Keys](#2-generate-tessera-keys)).
+- [`--privacy-enabled`](../../reference/cli/options.md#privacy-enabled-deprecated) enables privacy.
+- [`--privacy-url`](../../reference/cli/options.md#privacy-url-deprecated) specifies the Q2T server address of the Tessera node (`Q2T` in `tessera.conf`).
+- [`--privacy-public-key-file`](../../reference/cli/options.md#privacy-public-key-file-deprecated) specifies the file containing Tessera node public key (created in [3. Generate Tessera Keys](#2-generate-tessera-keys)).
 - [`--rpc-http-api`](../../../public-networks/reference/cli/options.md#rpc-http-api) includes `EEA` and `PRIV` in the list of JSON-RPC APIs to enable privacy JSON-RPC API methods.
 
 :::note
 
-Use the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file) command line option to sign [privacy marker transactions](../../concepts/privacy/private-transactions/processing.md) using a supplied key. The command line option is mandatory in privacy-enabled paid gas networks.
+Use the [`--privacy-marker-transaction-signing-key-file`](../../reference/cli/options.md#privacy-marker-transaction-signing-key-file-deprecated) command line option to sign [privacy marker transactions](../../concepts/privacy/private-transactions/processing.md) using a supplied key. The command line option is mandatory in privacy-enabled paid gas networks.
 
 :::
 

docs/private-networks/tutorials/privacy/multi-tenancy.md

@@ -156,9 +156,9 @@ The command line specifies privacy options:
 
 - [`--rpc-http-authentication-enabled`](../../../public-networks/reference/cli/options.md#rpc-http-authentication-enabled) enables authentication for JSON-RPC APIs.
 - [`--rpc-http-authentication-jwt-public-key-file`](../../../public-networks/reference/cli/options.md#rpc-http-authentication-jwt-public-key-file) specifies the Operator's [public key file](#1-generate-a-private-and-public-key-pair). Used to authenticate the [tenant JWTs](#6-generate-the-tenant-jwts).
-- [`--privacy-enabled`](../../reference/cli/options.md#privacy-enabled) enables privacy.
-- [`--privacy-url`](../../reference/cli/options.md#privacy-url) specifies the [Quorum to Tessera (Q2T)] server address of the Tessera node (`Q2T` in `tessera.conf`).
-- [`--privacy-multi-tenancy-enabled`](../../reference/cli/options.md#privacy-multi-tenancy-enabled) enables multi-tenancy.
+- [`--privacy-enabled`](../../reference/cli/options.md#privacy-enabled-deprecated) enables privacy.
+- [`--privacy-url`](../../reference/cli/options.md#privacy-url-deprecated) specifies the [Quorum to Tessera (Q2T)] server address of the Tessera node (`Q2T` in `tessera.conf`).
+- [`--privacy-multi-tenancy-enabled`](../../reference/cli/options.md#privacy-multi-tenancy-enabled-deprecated) enables multi-tenancy.
 
 :::note