github.com/Aestek/consul@v1.2.4-0.20190309222502-b2c31e33971a/website/source/docs/agent/encryption.html.md (about) 1 --- 2 layout: "docs" 3 page_title: "Encryption" 4 sidebar_current: "docs-agent-encryption" 5 description: |- 6 The Consul agent supports encrypting all of its network traffic. The exact method of encryption is described on the encryption internals page. There are two separate encryption systems, one for gossip traffic and one for RPC. 7 --- 8 9 # Encryption 10 11 The Consul agent supports encrypting all of its network traffic. The exact 12 method of encryption is described on the [encryption internals page](/docs/internals/security.html). 13 There are two separate encryption systems, one for gossip traffic and one for RPC. 14 If you are configuring encryption, review this [guide](/docs/guides/agent-encryption.html). 15 16 ## Gossip Encryption 17 18 Enabling gossip encryption only requires that you set an encryption key when 19 starting the Consul agent. The key can be set via the `encrypt` parameter: the 20 value of this setting is a configuration file containing the encryption key. 21 22 ~> **WAN Joined Datacenters Note:** If using multiple WAN joined datacenters, be sure to use _the same encryption key_ in all datacenters. 23 24 The key must be 16-bytes, Base64 encoded. As a convenience, Consul provides the 25 [`consul keygen`](/docs/commands/keygen.html) command to generate a 26 cryptographically suitable key: 27 28 ```text 29 $ consul keygen 30 cg8StVXbQJ0gPvMd9o7yrg== 31 ``` 32 33 With that key, you can enable encryption on the agent. If encryption is enabled, 34 the output of [`consul agent`](/docs/commands/agent.html) will include "Encrypt: true": 35 36 ```text 37 $ cat encrypt.json 38 {"encrypt": "cg8StVXbQJ0gPvMd9o7yrg=="} 39 40 $ consul agent -data-dir=/tmp/consul -config-file=encrypt.json 41 ==> WARNING: LAN keyring exists but -encrypt given, using keyring 42 ==> WARNING: WAN keyring exists but -encrypt given, using keyring 43 ==> Starting Consul agent... 44 ==> Starting Consul agent RPC... 45 ==> Consul agent running! 46 Node name: 'Armons-MacBook-Air.local' 47 Datacenter: 'dc1' 48 Server: false (bootstrap: false) 49 Client Addr: 127.0.0.1 (HTTP: 8500, HTTPS: -1, DNS: 8600, RPC: 8400) 50 Cluster Addr: 10.1.10.12 (LAN: 8301, WAN: 8302) 51 Gossip encrypt: true, RPC-TLS: false, TLS-Incoming: false 52 ... 53 ``` 54 55 All nodes within a Consul cluster must share the same encryption key in 56 order to send and receive cluster information. 57 58 ## Configuring Gossip Encryption on an existing cluster 59 60 As of version 0.8.4, Consul supports upshifting to encrypted gossip on a running cluster 61 through the following process. Review this [step-by-step guide](/docs/guides/agent-encryption.html#enable-gossip-encryption-existing-cluster) 62 to encrypt gossip on an existing cluster. 63 64 ## RPC Encryption with TLS 65 66 Consul supports using TLS to verify the authenticity of servers and clients. To enable this, 67 Consul requires that all clients and servers have key pairs that are generated by a single 68 Certificate Authority. This can be a private CA, used only internally. The 69 CA then signs keys for each of the agents, as in 70 [this tutorial on generating both a CA and signing keys](/docs/guides/creating-certificates.html). 71 72 TLS can be used to verify the authenticity of the servers or verify the authenticity of clients. 73 These modes are controlled by the [`verify_outgoing`](/docs/agent/options.html#verify_outgoing), 74 [`verify_server_hostname`](/docs/agent/options.html#verify_server_hostname), 75 and [`verify_incoming`](/docs/agent/options.html#verify_incoming) options, respectively. 76 77 If [`verify_outgoing`](/docs/agent/options.html#verify_outgoing) is set, agents verify the 78 authenticity of Consul for outgoing connections. Server nodes must present a certificate signed 79 by a common certificate authority present on all agents, set via the agent's 80 [`ca_file`](/docs/agent/options.html#ca_file) and [`ca_path`](/docs/agent/options.html#ca_path) 81 options. All server nodes must have an appropriate key pair set using [`cert_file`] 82 (/docs/agent/options.html#cert_file) and [`key_file`](/docs/agent/options.html#key_file). 83 84 If [`verify_server_hostname`](/docs/agent/options.html#verify_server_hostname) is set, then 85 outgoing connections perform hostname verification. All servers must have a certificate 86 valid for `server.<datacenter>.<domain>` or the client will reject the handshake. This is 87 a new configuration as of 0.5.1, and it is used to prevent a compromised client from being 88 able to restart in server mode and perform a MITM (Man-In-The-Middle) attack. New deployments should set this 89 to true, and generate the proper certificates, but this is defaulted to false to avoid breaking 90 existing deployments. 91 92 If [`verify_incoming`](/docs/agent/options.html#verify_incoming) is set, the servers verify the 93 authenticity of all incoming connections. All clients must have a valid key pair set using 94 [`cert_file`](/docs/agent/options.html#cert_file) and 95 [`key_file`](/docs/agent/options.html#key_file). Servers will 96 also disallow any non-TLS connections. To force clients to use TLS, 97 [`verify_outgoing`](/docs/agent/options.html#verify_outgoing) must also be set. 98 99 TLS is used to secure the RPC calls between agents, but gossip between nodes is done over UDP 100 and is secured using a symmetric key. See above for enabling gossip encryption. 101 102 ## Configuring TLS on an existing cluster 103 104 As of version 0.8.4, Consul supports migrating to TLS-encrypted traffic on a running cluster 105 without downtime. This process assumes a starting point with no TLS settings configured, and involves 106 an intermediate step in order to get to full TLS encryption. Review this step-by-step 107 [guide](/docs/guides/agent-encryption.html#enable-tls-existing-cluster) to learn how. 108