github.com/hspak/nomad@v0.7.2-0.20180309000617-bc4ae22a39a5/website/source/docs/agent/encryption.html.md (about)

     1  ---
     2  layout: "docs"
     3  page_title: "Gossip and RPC Encryption"
     4  sidebar_current: "docs-agent-encryption"
     5  description: |-
     6    Learn how to configure Nomad to encrypt HTTP, RPC, and Serf traffic.
     7  ---
     8  
     9  # Encryption
    10  
    11  The Nomad agent supports encrypting all of its network traffic. There are
    12  two separate encryption systems, one for gossip traffic, and one for HTTP and
    13  RPC.
    14  
    15  ## Gossip
    16  
    17  Enabling gossip encryption only requires that you set an encryption key when
    18  starting the Nomad server. The key can be set via the
    19  [`encrypt`](/docs/agent/configuration/server.html#encrypt) parameter: the value
    20  of this setting is a server configuration file containing the encryption key.
    21  
    22  The key must be 16 bytes, base64 encoded. As a convenience, Nomad provides the
    23  [`nomad keygen`](/docs/commands/keygen.html) command to generate a cryptographically suitable key:
    24  
    25  ```sh
    26  $ nomad keygen
    27  cg8StVXbQJ0gPvMd9o7yrg==
    28  ```
    29  
    30  With that key, you can enable gossip encryption on the agent.
    31  
    32  
    33  ## HTTP, RPC, and Raft Encryption with TLS
    34  
    35  Nomad supports using TLS to verify the authenticity of servers and clients. To
    36  enable this, Nomad requires that all clients and servers have key pairs that are
    37  generated and signed by a private Certificate Authority (CA).
    38  
    39  TLS can be used to verify the authenticity of the servers and clients. The
    40  configuration option [`verify_server_hostname`][tls] causes Nomad to verify that
    41  a certificate is provided that is signed by the Certificate Authority from the
    42  [`ca_file`][tls] for TLS connections.
    43  
    44  If `verify_server_hostname` is set, then outgoing connections perform
    45  hostname verification. Unlike traditional HTTPS browser validation, all servers
    46  must have a certificate valid for `server.<region>.nomad` or the client will
    47  reject the handshake. It is also recommended for the certificate to sign
    48  `localhost` such that the CLI can validate the server name.
    49  
    50  TLS is used to secure the RPC calls between agents, but gossip between nodes is
    51  done over UDP and is secured using a symmetric key. See above for enabling
    52  gossip encryption.
    53  
    54  ### Configuring the command line tool
    55  
    56  If you have HTTPS enabled for your Nomad agent, you must export environment
    57  variables for the command line tool to also use HTTPS:
    58  
    59  ```sh
    60  # NOMAD_ADDR defaults to http://, so set it to https
    61  # Alternatively you can use the -address flag
    62  export NOMAD_ADDR=https://127.0.0.1:4646
    63  
    64  # Set the location of your CA certificate
    65  # Alternatively you can use the -ca-cert flag
    66  export NOMAD_CACERT=/path/to/ca.pem
    67  ```
    68  
    69  Run any command except `agent` with `-h` to see all environment variables and
    70  flags. For example: `nomad status -h`
    71  
    72  By default HTTPS does not validate client certificates, so you do not need to
    73  give the command line tool access to any private keys.
    74  
    75  ### Network Isolation with TLS
    76  
    77  If you want to isolate Nomad agents on a network with TLS you need to enable
    78  both [`verify_https_client`][tls] and [`verify_server_hostname`][tls]. This
    79  will cause agents to require client certificates for all incoming HTTPS
    80  connections as well as verify proper names on all other certificates.
    81  
    82  Consul will not attempt to health check agents with `verify_https_client` set
    83  as it is unable to use client certificates.
    84  
    85  # Configuring Nomad with TLS
    86  
    87  Read the [Securing Nomad with TLS Guide][guide] for details on how to configure
    88  encryption for Nomad.
    89  
    90  [guide]: /guides/securing-nomad.html "Securing Nomad with TLS"
    91  [tls]: /docs/agent/configuration/tls.html "Nomad TLS Configuration"