open-consul/website/source/docs/commands/keyring.html.markdown

---
layout: "docs"
page_title: "Commands: Keyring"
sidebar_current: "docs-commands-keyring"
---

# Consul Keyring

Command: `consul keyring`

The `keyring` command is used to examine and modify the encryption keys used in
Consul's [Gossip Pools](/docs/internals/gossip.html). It is capable of
distributing new encryption keys to the cluster, retiring old encryption keys,
and changing the keys used by the cluster to encrypt messages.

Consul allows multiple encryption keys to be in use simultaneously. This is
intended to provide a transition state while the cluster converges. It is the
responsibility of the operator to ensure that only the required encryption keys
are installed on the cluster. You can review the installed keys using the
`-list` argument, and remove unneeded keys with `-remove`.

All operations performed by this command can only be run against server nodes,
and affect both the LAN and WAN keyrings in lock-step.

All variations of the `keyring` command return 0 if all nodes reply and there
are no errors. If any node fails to reply or reports failure, the exit code
will be 1.

## Usage

Usage: `consul keyring [options]`

Only one actionable argument may be specified per run, including `-list`,
`-install`, `-remove`, and `-use`.

The list of available flags are:

* `-list` - List all keys currently in use within the cluster.

* `-install` - Install a new encryption key. This will broadcast the new key to
  all members in the cluster.

* `-use` - Change the primary encryption key, which is used to encrypt messages.
  The key must already be installed before this operation can succeed.

* `-remove` - Remove the given key from the cluster. This operation may only be
  performed on keys which are not currently the primary key.

* `-token=""` - ACL token to use during requests. Defaults to that of the agent.

* `-relay-factor` - Added in Consul 0.7.4, setting this to a non-zero value will
  cause nodes to relay their response to the operation through this many
  randomly-chosen other nodes in the cluster. The maximum allowed value is 5.

* `-rpc-addr` - Address to the RPC server of the agent you want to contact
  to send this command. If this isn't specified, the command will contact
  "127.0.0.1:8400" which is the default RPC address of a Consul agent.

## Output

The output of the `consul keyring -list` command consolidates information from
all nodes and all datacenters to provide a simple and easy to understand view of
the cluster. The following is some example output from a cluster with two
datacenters, each which consist of one server and one client:

```
==> Gathering installed encryption keys...
==> Done!

WAN:
  a1i101sMY8rxB+0eAKD/gw== [2/2]

dc2 (LAN):
  a1i101sMY8rxB+0eAKD/gw== [2/2]

dc1 (LAN):
  a1i101sMY8rxB+0eAKD/gw== [2/2]
```

As you can see, the output above is divided first by gossip pool, and then by
encryption key. The indicator to the right of each key displays the number of
nodes the key is installed on over the total number of nodes in the pool.

## Errors

If any errors are encountered while performing a keyring operation, no key
information is displayed, but instead only error information. The error
information is arranged in a similar fashion, organized first by datacenter,
followed by a simple list of nodes which had errors, and the actual text of the
error. Below is sample output from the same cluster as above, if we try to do
something that causes an error; in this case, trying to remove the primary key:

```
==> Removing gossip encryption key...

dc1 (LAN) error: 2/2 nodes reported failure
  server1: Removing the primary key is not allowed
  client1: Removing the primary key is not allowed

WAN error: 2/2 nodes reported failure
  server1.dc1: Removing the primary key is not allowed
  server2.dc2: Removing the primary key is not allowed

dc2 (LAN) error: 2/2 nodes reported failure
  server2: Removing the primary key is not allowed
  client2: Removing the primary key is not allowed
```

As you can see, each node with a failure reported what went wrong.
website: document keys command 2014-09-11 18:19:48 +00:00			`---`
			`layout: "docs"`
command: renamed keys to keyring to disambiguate usage 2014-09-13 03:08:54 +00:00			`page_title: "Commands: Keyring"`
			`sidebar_current: "docs-commands-keyring"`
website: document keys command 2014-09-11 18:19:48 +00:00			`---`

command: renamed keys to keyring to disambiguate usage 2014-09-13 03:08:54 +00:00			`# Consul Keyring`
website: document keys command 2014-09-11 18:19:48 +00:00
command: renamed keys to keyring to disambiguate usage 2014-09-13 03:08:54 +00:00			Command: `consul keyring`
website: document keys command 2014-09-11 18:19:48 +00:00
command: renamed keys to keyring to disambiguate usage 2014-09-13 03:08:54 +00:00			The `keyring` command is used to examine and modify the encryption keys used in
website: document keys command 2014-09-11 18:19:48 +00:00			`Consul's [Gossip Pools](/docs/internals/gossip.html). It is capable of`
website: documentation updates for keyring command 2014-09-19 01:57:18 +00:00			`distributing new encryption keys to the cluster, retiring old encryption keys,`
			`and changing the keys used by the cluster to encrypt messages.`
website: document keys command 2014-09-11 18:19:48 +00:00
			`Consul allows multiple encryption keys to be in use simultaneously. This is`
			`intended to provide a transition state while the cluster converges. It is the`
			`responsibility of the operator to ensure that only the required encryption keys`
website: clean up keyring command docs and add output examples 2014-10-01 00:31:16 +00:00			`are installed on the cluster. You can review the installed keys using the`
			`-list` argument, and remove unneeded keys with `-remove`.
website: document keys command 2014-09-11 18:19:48 +00:00
command: remove -init argument from keyring, auto-persist keyrings when using agent -encrypt 2014-10-03 05:05:00 +00:00			`All operations performed by this command can only be run against server nodes,`
			`and affect both the LAN and WAN keyrings in lock-step.`
command/keyring: cleanup 2014-09-30 22:31:07 +00:00
command: remove -init argument from keyring, auto-persist keyrings when using agent -encrypt 2014-10-03 05:05:00 +00:00			All variations of the `keyring` command return 0 if all nodes reply and there
			`are no errors. If any node fails to reply or reports failure, the exit code`
			`will be 1.`
website: document keys command 2014-09-11 18:19:48 +00:00
			`## Usage`

command: renamed keys to keyring to disambiguate usage 2014-09-13 03:08:54 +00:00			Usage: `consul keyring [options]`
website: document keys command 2014-09-11 18:19:48 +00:00
command: remove -init argument from keyring, auto-persist keyrings when using agent -encrypt 2014-10-03 05:05:00 +00:00			Only one actionable argument may be specified per run, including `-list`,
			`-install`, `-remove`, and `-use`.
website: document keys command 2014-09-11 18:19:48 +00:00
			`The list of available flags are:`

command: remove -init argument from keyring, auto-persist keyrings when using agent -encrypt 2014-10-03 05:05:00 +00:00			* `-list` - List all keys currently in use within the cluster.
website: documentation updates for keyring command 2014-09-19 01:57:18 +00:00
website: document keys command 2014-09-11 18:19:48 +00:00			* `-install` - Install a new encryption key. This will broadcast the new key to
			`all members in the cluster.`

			* `-use` - Change the primary encryption key, which is used to encrypt messages.
			`The key must already be installed before this operation can succeed.`

			* `-remove` - Remove the given key from the cluster. This operation may only be
			`performed on keys which are not currently the primary key.`

Update keyring.html.markdown 2016-09-23 23:00:05 +00:00			* `-token=""` - ACL token to use during requests. Defaults to that of the agent.

Added -relay-factor param to keyring operations 2017-02-02 02:42:41 +00:00			* `-relay-factor` - Added in Consul 0.7.4, setting this to a non-zero value will
			`cause nodes to relay their response to the operation through this many`
			`randomly-chosen other nodes in the cluster. The maximum allowed value is 5.`

Add default rpc address configuration option as CONSUL_RPC_ADDR env variable Similar as in serf: https://github.com/hashicorp/serf/pull/210 2014-12-15 18:16:43 +00:00			* `-rpc-addr` - Address to the RPC server of the agent you want to contact
			`to send this command. If this isn't specified, the command will contact`
			`"127.0.0.1:8400" which is the default RPC address of a Consul agent.`
website: clean up keyring command docs and add output examples 2014-10-01 00:31:16 +00:00
			`## Output`

			The output of the `consul keyring -list` command consolidates information from
			`all nodes and all datacenters to provide a simple and easy to understand view of`
			`the cluster. The following is some example output from a cluster with two`
			`datacenters, each which consist of one server and one client:`

			```
			`==> Gathering installed encryption keys...`
			`==> Done!`

			`WAN:`
			`a1i101sMY8rxB+0eAKD/gw== [2/2]`

			`dc2 (LAN):`
			`a1i101sMY8rxB+0eAKD/gw== [2/2]`

			`dc1 (LAN):`
			`a1i101sMY8rxB+0eAKD/gw== [2/2]`
			```

			`As you can see, the output above is divided first by gossip pool, and then by`
			`encryption key. The indicator to the right of each key displays the number of`
			`nodes the key is installed on over the total number of nodes in the pool.`

			`## Errors`

			`If any errors are encountered while performing a keyring operation, no key`
			`information is displayed, but instead only error information. The error`
			`information is arranged in a similar fashion, organized first by datacenter,`
			`followed by a simple list of nodes which had errors, and the actual text of the`
			`error. Below is sample output from the same cluster as above, if we try to do`
			`something that causes an error; in this case, trying to remove the primary key:`

			```
			`==> Removing gossip encryption key...`

			`dc1 (LAN) error: 2/2 nodes reported failure`
			`server1: Removing the primary key is not allowed`
			`client1: Removing the primary key is not allowed`

			`WAN error: 2/2 nodes reported failure`
			`server1.dc1: Removing the primary key is not allowed`
			`server2.dc2: Removing the primary key is not allowed`

			`dc2 (LAN) error: 2/2 nodes reported failure`
			`server2: Removing the primary key is not allowed`
			`client2: Removing the primary key is not allowed`
			```

			`As you can see, each node with a failure reported what went wrong.`