github.com/hspak/nomad@v0.7.2-0.20180309000617-bc4ae22a39a5/website/source/docs/agent/encryption.html.md (about) 1 --- 2 layout: "docs" 3 page_title: "Gossip and RPC Encryption" 4 sidebar_current: "docs-agent-encryption" 5 description: |- 6 Learn how to configure Nomad to encrypt HTTP, RPC, and Serf traffic. 7 --- 8 9 # Encryption 10 11 The Nomad agent supports encrypting all of its network traffic. There are 12 two separate encryption systems, one for gossip traffic, and one for HTTP and 13 RPC. 14 15 ## Gossip 16 17 Enabling gossip encryption only requires that you set an encryption key when 18 starting the Nomad server. The key can be set via the 19 [`encrypt`](/docs/agent/configuration/server.html#encrypt) parameter: the value 20 of this setting is a server configuration file containing the encryption key. 21 22 The key must be 16 bytes, base64 encoded. As a convenience, Nomad provides the 23 [`nomad keygen`](/docs/commands/keygen.html) command to generate a cryptographically suitable key: 24 25 ```sh 26 $ nomad keygen 27 cg8StVXbQJ0gPvMd9o7yrg== 28 ``` 29 30 With that key, you can enable gossip encryption on the agent. 31 32 33 ## HTTP, RPC, and Raft Encryption with TLS 34 35 Nomad supports using TLS to verify the authenticity of servers and clients. To 36 enable this, Nomad requires that all clients and servers have key pairs that are 37 generated and signed by a private Certificate Authority (CA). 38 39 TLS can be used to verify the authenticity of the servers and clients. The 40 configuration option [`verify_server_hostname`][tls] causes Nomad to verify that 41 a certificate is provided that is signed by the Certificate Authority from the 42 [`ca_file`][tls] for TLS connections. 43 44 If `verify_server_hostname` is set, then outgoing connections perform 45 hostname verification. Unlike traditional HTTPS browser validation, all servers 46 must have a certificate valid for `server.<region>.nomad` or the client will 47 reject the handshake. It is also recommended for the certificate to sign 48 `localhost` such that the CLI can validate the server name. 49 50 TLS is used to secure the RPC calls between agents, but gossip between nodes is 51 done over UDP and is secured using a symmetric key. See above for enabling 52 gossip encryption. 53 54 ### Configuring the command line tool 55 56 If you have HTTPS enabled for your Nomad agent, you must export environment 57 variables for the command line tool to also use HTTPS: 58 59 ```sh 60 # NOMAD_ADDR defaults to http://, so set it to https 61 # Alternatively you can use the -address flag 62 export NOMAD_ADDR=https://127.0.0.1:4646 63 64 # Set the location of your CA certificate 65 # Alternatively you can use the -ca-cert flag 66 export NOMAD_CACERT=/path/to/ca.pem 67 ``` 68 69 Run any command except `agent` with `-h` to see all environment variables and 70 flags. For example: `nomad status -h` 71 72 By default HTTPS does not validate client certificates, so you do not need to 73 give the command line tool access to any private keys. 74 75 ### Network Isolation with TLS 76 77 If you want to isolate Nomad agents on a network with TLS you need to enable 78 both [`verify_https_client`][tls] and [`verify_server_hostname`][tls]. This 79 will cause agents to require client certificates for all incoming HTTPS 80 connections as well as verify proper names on all other certificates. 81 82 Consul will not attempt to health check agents with `verify_https_client` set 83 as it is unable to use client certificates. 84 85 # Configuring Nomad with TLS 86 87 Read the [Securing Nomad with TLS Guide][guide] for details on how to configure 88 encryption for Nomad. 89 90 [guide]: /guides/securing-nomad.html "Securing Nomad with TLS" 91 [tls]: /docs/agent/configuration/tls.html "Nomad TLS Configuration"