open-consul/website/source/docs/agent/encryption.html.markdown

---
layout: "docs"
page_title: "Encryption"
sidebar_current: "docs-agent-encryption"
description: |-
  The Consul agent supports encrypting all of its network traffic. The exact method of encryption is described on the encryption internals page. There are two separate encryption systems, one for gossip traffic and one for RPC.
---

# Encryption

The Consul agent supports encrypting all of its network traffic. The exact
method of encryption is described on the [encryption internals page](/docs/internals/security.html).
There are two separate encryption systems, one for gossip traffic and one for RPC.

## Gossip Encryption

Enabling gossip encryption only requires that you set an encryption key when
starting the Consul agent. The key can be set via the `encrypt` parameter: the
value of this setting is a configuration file containing the encryption key.

The key must be 16-bytes, Base64 encoded.  As a convenience, Consul provides the
`consul keygen` commmand to generate a cryptographically suitable key:

```text
$ consul keygen
cg8StVXbQJ0gPvMd9o7yrg==
```

With that key, you can enable encryption on the agent. If encryption is enabled,
the output of `consul agent` will include "Encrypted: true":

```text
$ cat encrypt.json
{"encrypt": "cg8StVXbQJ0gPvMd9o7yrg=="}

$ consul agent -data=/tmp/consul -config-file encrypt.json
==> Starting Consul agent...
==> Starting Consul agent RPC...
==> Consul agent running!
         Node name: 'Armons-MacBook-Air.local'
        Datacenter: 'dc1'
    Advertise addr: '10.1.10.12'
          RPC addr: '127.0.0.1:8400'
         HTTP addr: '127.0.0.1:8500'
          DNS addr: '127.0.0.1:8600'
         Encrypted: true
            Server: false (bootstrap: false)
...
```

All nodes within a Consul cluster must share the same encryption key in
order to send and receive cluster information.

# RPC Encryption with TLS

Consul supports using TLS to verify the authenticity of servers and clients. To enable this,
Consul requires that all clients and servers have key pairs that are generated by a single
Certificate Authority. This can be a private CA, used only internally. The
CA then signs keys for each of the agents, as in
[this tutorial on generating both a CA and signing keys](https://langui.sh/2009/01/18/openssl-self-signed-ca/)
using OpenSSL. Note: client certificates must have
[Extended Key Usage](https://www.openssl.org/docs/apps/x509v3_config.html#extended_key_usage_) enabled
for client and server authentication.

TLS can be used to verify the authenticity of the servers or verify the authenticity of clients.
These modes are controlled by the `verify_outgoing` and `verify_incoming` [options](/docs/agent/options.html),
respectively.

If `verify_outgoing` is set, agents verify the authenticity of Consul for outgoing
connections. Server nodes must present a certificate signed by the certificate authority
present on all agents, set via the agent's `ca_file` option. All server nodes must have an
appropriate key pair set using `cert_file` and `key_file`.

If `verify_incoming` is set, the servers verify the authenticity of all incoming
connections. All clients must have a valid key pair set using `cert_file` and `key_file`. Servers will
also disallow any non-TLS connections. To force clients to use TLS, `verify_outgoing` must also be set.

TLS is used to secure the RPC calls between agents, but gossip between nodes is done over UDP
and is secured using a symmetric key. See above for enabling gossip encryption.
website: bulk copy from serf 2014-02-08 00:41:03 +00:00			`---`
			`layout: "docs"`
			`page_title: "Encryption"`
			`sidebar_current: "docs-agent-encryption"`
Use new Markdown syntaxes and add SEO descriptions 2014-10-19 23:40:10 +00:00			`description: \|-`
Substantial and potentially inaccurate rewrite to docs/agent/encryption. 2015-01-31 23:33:29 +00:00			`The Consul agent supports encrypting all of its network traffic. The exact method of encryption is described on the encryption internals page. There are two separate encryption systems, one for gossip traffic and one for RPC.`
website: bulk copy from serf 2014-02-08 00:41:03 +00:00			`---`

			`# Encryption`

website: working on docs 2014-02-18 23:30:07 +00:00			`The Consul agent supports encrypting all of its network traffic. The exact`
Substantial and potentially inaccurate rewrite to docs/agent/encryption. 2015-01-31 23:33:29 +00:00			`method of encryption is described on the [encryption internals page](/docs/internals/security.html).`
			`There are two separate encryption systems, one for gossip traffic and one for RPC.`
website: bulk copy from serf 2014-02-08 00:41:03 +00:00
website: More info on TLS encryption 2014-04-07 22:06:26 +00:00			`## Gossip Encryption`
website: bulk copy from serf 2014-02-08 00:41:03 +00:00
website: More info on TLS encryption 2014-04-07 22:06:26 +00:00			`Enabling gossip encryption only requires that you set an encryption key when`
Final edits to encryption doc. 2015-02-01 03:05:00 +00:00			starting the Consul agent. The key can be set via the `encrypt` parameter: the
Substantial and potentially inaccurate rewrite to docs/agent/encryption. 2015-01-31 23:33:29 +00:00			`value of this setting is a configuration file containing the encryption key.`

Final edits to encryption doc. 2015-02-01 03:05:00 +00:00			`The key must be 16-bytes, Base64 encoded. As a convenience, Consul provides the`
Substantial and potentially inaccurate rewrite to docs/agent/encryption. 2015-01-31 23:33:29 +00:00			`consul keygen` commmand to generate a cryptographically suitable key:
website: bulk copy from serf 2014-02-08 00:41:03 +00:00
Use new Markdown syntaxes and add SEO descriptions 2014-10-19 23:40:10 +00:00			```text
website: working on docs 2014-02-18 23:30:07 +00:00			`$ consul keygen`
website: bulk copy from serf 2014-02-08 00:41:03 +00:00			`cg8StVXbQJ0gPvMd9o7yrg==`
			```

Substantial and potentially inaccurate rewrite to docs/agent/encryption. 2015-01-31 23:33:29 +00:00			`With that key, you can enable encryption on the agent. If encryption is enabled,`
			the output of `consul agent` will include "Encrypted: true":
website: bulk copy from serf 2014-02-08 00:41:03 +00:00
Use new Markdown syntaxes and add SEO descriptions 2014-10-19 23:40:10 +00:00			```text
website: remove old docs on the -encrypt flag 2014-07-15 16:50:39 +00:00			`$ cat encrypt.json`
			`{"encrypt": "cg8StVXbQJ0gPvMd9o7yrg=="}`

			`$ consul agent -data=/tmp/consul -config-file encrypt.json`
website: working on docs 2014-02-18 23:30:07 +00:00			`==> Starting Consul agent...`
			`==> Starting Consul agent RPC...`
			`==> Consul agent running!`
			`Node name: 'Armons-MacBook-Air.local'`
			`Datacenter: 'dc1'`
			`Advertise addr: '10.1.10.12'`
			`RPC addr: '127.0.0.1:8400'`
			`HTTP addr: '127.0.0.1:8500'`
			`DNS addr: '127.0.0.1:8600'`
			`Encrypted: true`
			`Server: false (bootstrap: false)`
website: bulk copy from serf 2014-02-08 00:41:03 +00:00			`...`
			```

website: working on docs 2014-02-18 23:30:07 +00:00			`All nodes within a Consul cluster must share the same encryption key in`
website: bulk copy from serf 2014-02-08 00:41:03 +00:00			`order to send and receive cluster information.`

website: More info on TLS encryption 2014-04-07 22:06:26 +00:00			`# RPC Encryption with TLS`

Substantial and potentially inaccurate rewrite to docs/agent/encryption. 2015-01-31 23:33:29 +00:00			`Consul supports using TLS to verify the authenticity of servers and clients. To enable this,`
			`Consul requires that all clients and servers have key pairs that are generated by a single`
			`Certificate Authority. This can be a private CA, used only internally. The`
			`CA then signs keys for each of the agents, as in`
Final edits to encryption doc. 2015-02-01 03:05:00 +00:00			`[this tutorial on generating both a CA and signing keys](https://langui.sh/2009/01/18/openssl-self-signed-ca/)`
Substantial and potentially inaccurate rewrite to docs/agent/encryption. 2015-01-31 23:33:29 +00:00			`using OpenSSL. Note: client certificates must have`
			`[Extended Key Usage](https://www.openssl.org/docs/apps/x509v3_config.html#extended_key_usage_) enabled`
			`for client and server authentication.`
website: More info on TLS encryption 2014-04-07 22:06:26 +00:00
Final edits to encryption doc. 2015-02-01 03:05:00 +00:00			`TLS can be used to verify the authenticity of the servers or verify the authenticity of clients.`
			These modes are controlled by the `verify_outgoing` and `verify_incoming` [options](/docs/agent/options.html),
			`respectively.`
website: More info on TLS encryption 2014-04-07 22:06:26 +00:00
Substantial and potentially inaccurate rewrite to docs/agent/encryption. 2015-01-31 23:33:29 +00:00			If `verify_outgoing` is set, agents verify the authenticity of Consul for outgoing
Final edits to encryption doc. 2015-02-01 02:59:59 +00:00			`connections. Server nodes must present a certificate signed by the certificate authority`
			present on all agents, set via the agent's `ca_file` option. All server nodes must have an
			appropriate key pair set using `cert_file` and `key_file`.
website: More info on TLS encryption 2014-04-07 22:06:26 +00:00
Final edits to encryption doc. 2015-02-01 02:59:59 +00:00			If `verify_incoming` is set, the servers verify the authenticity of all incoming
Final edits to encryption doc. 2015-02-01 03:01:33 +00:00			connections. All clients must have a valid key pair set using `cert_file` and `key_file`. Servers will
			also disallow any non-TLS connections. To force clients to use TLS, `verify_outgoing` must also be set.
website: More info on TLS encryption 2014-04-07 22:06:26 +00:00
			`TLS is used to secure the RPC calls between agents, but gossip between nodes is done over UDP`
			`and is secured using a symmetric key. See above for enabling gossip encryption.`