open-consul/website/source/docs/internals/security.html.markdown

---
layout: "docs"
page_title: "Security Model"
sidebar_current: "docs-internals-security"
description: |-
  Consul relies on both a lightweight gossip mechanism and an RPC system to provide various features. Both of the systems have different security mechanisms that stem from their designs. However, the goals of Consuls security are to provide confidentiality, integrity and authentication.
---

# Security Model

Consul relies on both a lightweight gossip mechanism and an RPC system
to provide various features. Both of the systems have different security
mechanisms that stem from their designs. However, the overall goal
of Consul's security model is to provide [confidentiality, integrity and authentication](http://en.wikipedia.org/wiki/Information_security).

The [gossip protocol](/docs/internals/gossip.html) is powered by [Serf](https://www.serfdom.io/),
which uses a symmetric key, or shared secret, cryptosystem. There are more
details on the security of [Serf here](https://www.serfdom.io/docs/internals/security.html).

The RPC system supports using end-to-end TLS, with optional client authentication.
[TLS](http://en.wikipedia.org/wiki/Transport_Layer_Security) is a widely deployed asymmetric
cryptosystem, and is the foundation of security on the Web, as well as
some other critical parts of the Internet.

This means Consul communication is protected against eavesdropping, tampering,
and spoofing. This makes it possible to run Consul over untrusted networks such
as EC2 and other shared hosting providers.

~> **Advanced Topic!** This page covers the technical details of
the security model of Consul. You don't need to know these details to
operate and use Consul. These details are documented here for those who wish
to learn about them without having to go spelunking through the source code.

## Threat Model

The following are the various parts of our threat model:

* Non-members getting access to data
* Cluster state manipulation due to malicious messages
* Fake data generation due to malicious messages
* Tampering causing state corruption
* Denial of Service against a node

Additionally, we recognize that an attacker that can observe network
traffic for an extended period of time may infer the cluster members.
The gossip mechanism used by Consul relies on sending messages to random
members, so an attacker can record all destinations and determine all
members of the cluster.

When designing security into a system you design it to fit the threat model.
Our goal is not to protect top secret data but to provide a "reasonable"
level of security that would require an attacker to commit a considerable
amount of resources to defeat.
website: bulk copy from serf 2014-02-08 00:41:03 +00:00			`---`
			`layout: "docs"`
			`page_title: "Security Model"`
			`sidebar_current: "docs-internals-security"`
Use new Markdown syntaxes and add SEO descriptions 2014-10-19 23:40:10 +00:00			`description: \|-`
			`Consul relies on both a lightweight gossip mechanism and an RPC system to provide various features. Both of the systems have different security mechanisms that stem from their designs. However, the goals of Consuls security are to provide confidentiality, integrity and authentication.`
website: bulk copy from serf 2014-02-08 00:41:03 +00:00			`---`

			`# Security Model`

website: documenting the internals 2014-02-20 20:26:50 +00:00			`Consul relies on both a lightweight gossip mechanism and an RPC system`
			`to provide various features. Both of the systems have different security`
docs: internals/security: minor fixes 2014-11-26 13:05:33 +00:00			`mechanisms that stem from their designs. However, the overall goal`
			`of Consul's security model is to provide [confidentiality, integrity and authentication](http://en.wikipedia.org/wiki/Information_security).`
website: bulk copy from serf 2014-02-08 00:41:03 +00:00
website: fix typo, casing and links Fix typo in Leader Election guide: s/blog/blob/ Also fix various casing issues and prefer HTTPS links for HashiCorp projects. 2015-01-04 11:57:48 +00:00			`The [gossip protocol](/docs/internals/gossip.html) is powered by [Serf](https://www.serfdom.io/),`
website: documenting the internals 2014-02-20 20:26:50 +00:00			`which uses a symmetric key, or shared secret, cryptosystem. There are more`
website: fix typo, casing and links Fix typo in Leader Election guide: s/blog/blob/ Also fix various casing issues and prefer HTTPS links for HashiCorp projects. 2015-01-04 11:57:48 +00:00			`details on the security of [Serf here](https://www.serfdom.io/docs/internals/security.html).`
website: documenting the internals 2014-02-20 20:26:50 +00:00
			`The RPC system supports using end-to-end TLS, with optional client authentication.`
			`[TLS](http://en.wikipedia.org/wiki/Transport_Layer_Security) is a widely deployed asymmetric`
docs: internals/security: minor fixes 2014-11-26 13:05:33 +00:00			`cryptosystem, and is the foundation of security on the Web, as well as`
			`some other critical parts of the Internet.`
website: documenting the internals 2014-02-20 20:26:50 +00:00
			`This means Consul communication is protected against eavesdropping, tampering,`
docs: internals/security: minor fixes 2014-11-26 13:05:33 +00:00			`and spoofing. This makes it possible to run Consul over untrusted networks such`
website: documenting the internals 2014-02-20 20:26:50 +00:00			`as EC2 and other shared hosting providers.`
website: bulk copy from serf 2014-02-08 00:41:03 +00:00
Use new Markdown syntaxes and add SEO descriptions 2014-10-19 23:40:10 +00:00			`~> Advanced Topic! This page covers the technical details of`
website: documenting the internals 2014-02-20 20:26:50 +00:00			`the security model of Consul. You don't need to know these details to`
			`operate and use Consul. These details are documented here for those who wish`
website: bulk copy from serf 2014-02-08 00:41:03 +00:00			`to learn about them without having to go spelunking through the source code.`

			`## Threat Model`

			`The following are the various parts of our threat model:`

website: documenting the internals 2014-02-20 20:26:50 +00:00			`* Non-members getting access to data`
website: bulk copy from serf 2014-02-08 00:41:03 +00:00			`* Cluster state manipulation due to malicious messages`
website: documenting the internals 2014-02-20 20:26:50 +00:00			`* Fake data generation due to malicious messages`
			`* Tampering causing state corruption`
website: bulk copy from serf 2014-02-08 00:41:03 +00:00			`* Denial of Service against a node`

			`Additionally, we recognize that an attacker that can observe network`
			`traffic for an extended period of time may infer the cluster members.`
website: documenting the internals 2014-02-20 20:26:50 +00:00			`The gossip mechanism used by Consul relies on sending messages to random`
website: bulk copy from serf 2014-02-08 00:41:03 +00:00			`members, so an attacker can record all destinations and determine all`
			`members of the cluster.`

			`When designing security into a system you design it to fit the threat model.`
			`Our goal is not to protect top secret data but to provide a "reasonable"`
			`level of security that would require an attacker to commit a considerable`
			`amount of resources to defeat.`