Update default gossip encryption key size to 32 bytes

2019-07-30 09:45:41 -06:00 · 2019-07-30 09:45:41 -06:00 · 00157a2c1f
parent 4407ec5faf
commit 00157a2c1f
8 changed files with 38 additions and 39 deletions
--- a/agent/config/runtime_test.go
+++ b/agent/config/runtime_test.go
@ -407,11 +407,11 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
 		{
 			desc: "-encrypt",
 			args: []string{
-				`-encrypt=i0P+gFTkLPg0h53eNYjydg==`,
+				`-encrypt=pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=`,
 				`-data-dir=` + dataDir,
 			},
 			patch: func(rt *RuntimeConfig) {
-				rt.EncryptKey = "i0P+gFTkLPg0h53eNYjydg=="
+				rt.EncryptKey = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
 				rt.DataDir = dataDir
 			},
 		},
@ -2104,14 +2104,14 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
 			args: []string{
 				`-data-dir=` + dataDir,
 			},
-			json: []string{`{ "encrypt": "i0P+gFTkLPg0h53eNYjydg==" }`},
-			hcl:  []string{` encrypt = "i0P+gFTkLPg0h53eNYjydg==" `},
+			json: []string{`{ "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" }`},
+			hcl:  []string{` encrypt = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" `},
 			patch: func(rt *RuntimeConfig) {
-				rt.EncryptKey = "i0P+gFTkLPg0h53eNYjydg=="
+				rt.EncryptKey = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
 				rt.DataDir = dataDir
 			},
 			pre: func() {
-				writeFile(filepath.Join(dataDir, SerfLANKeyring), []byte("i0P+gFTkLPg0h53eNYjydg=="))
+				writeFile(filepath.Join(dataDir, SerfLANKeyring), []byte("pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="))
 			},
 			warns: []string{`WARNING: LAN keyring exists but -encrypt given, using keyring`},
 		},
@ -2120,17 +2120,17 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
 			args: []string{
 				`-data-dir=` + dataDir,
 			},
-			json: []string{`{ "encrypt": "i0P+gFTkLPg0h53eNYjydg==", "server": true }`},
-			hcl:  []string{` encrypt = "i0P+gFTkLPg0h53eNYjydg==" server = true `},
+			json: []string{`{ "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=", "server": true }`},
+			hcl:  []string{` encrypt = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" server = true `},
 			patch: func(rt *RuntimeConfig) {
-				rt.EncryptKey = "i0P+gFTkLPg0h53eNYjydg=="
+				rt.EncryptKey = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
 				rt.ServerMode = true
 				rt.LeaveOnTerm = false
 				rt.SkipLeaveOnInt = true
 				rt.DataDir = dataDir
 			},
 			pre: func() {
-				writeFile(filepath.Join(dataDir, SerfWANKeyring), []byte("i0P+gFTkLPg0h53eNYjydg=="))
+				writeFile(filepath.Join(dataDir, SerfWANKeyring), []byte("pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="))
 			},
 			warns: []string{`WARNING: WAN keyring exists but -encrypt given, using keyring`},
 		},
--- a/command/keygen/keygen.go
+++ b/command/keygen/keygen.go
@ -32,13 +32,13 @@ func (c *cmd) Run(args []string) int {
 		return 1
 	}

-	key := make([]byte, 16)
+	key := make([]byte, 32)
 	n, err := rand.Reader.Read(key)
 	if err != nil {
 		c.UI.Error(fmt.Sprintf("Error reading random data: %s", err))
 		return 1
 	}
-	if n != 16 {
+	if n != 32 {
 		c.UI.Error(fmt.Sprintf("Couldn't read enough entropy. Generate more entropy!"))
 		return 1
 	}
@ -59,7 +59,7 @@ const synopsis = "Generates a new encryption key"
 const help = `
 Usage: consul keygen

-  Generates a new encryption key that can be used to configure the
+  Generates a new 32-byte encryption key that can be used to configure the
  agent to encrypt traffic. The output of this command is already
  in the proper format that the agent expects.
 `
--- a/command/keygen/keygen_test.go
+++ b/command/keygen/keygen_test.go
@ -29,8 +29,7 @@ func TestKeygenCommand(t *testing.T) {
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
-
-	if len(result) != 16 {
+	if len(result) != 32 {
 		t.Fatalf("bad: %#v", result)
 	}
 }
--- a/website/source/api/operator/keyring.html.md
+++ b/website/source/api/operator/keyring.html.md
@ -58,9 +58,9 @@ $ curl \
    "Datacenter": "dc1",
    "Segment": "",
    "Keys": {
-      "0eK8RjnsGC/+I1fJErQsBA==": 1,
-      "G/3/L4yOw3e5T7NTvuRi9g==": 1,
-      "z90lFx3sZZLtTOkutXcwYg==": 1
+      "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=": 1,
+      "ZWTL+bgjHyQPhJRKcFe3ccirc2SFHmc/Nw67l8NQfdk=": 1,
+      "WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4=": 1
    },
    "NumNodes": 1
  },
@ -69,9 +69,9 @@ $ curl \
    "Datacenter": "dc1",
    "Segment": "",
    "Keys": {
-      "0eK8RjnsGC/+I1fJErQsBA==": 1,
-      "G/3/L4yOw3e5T7NTvuRi9g==": 1,
-      "z90lFx3sZZLtTOkutXcwYg==": 1
+      "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=": 1,
+      "ZWTL+bgjHyQPhJRKcFe3ccirc2SFHmc/Nw67l8NQfdk=": 1,
+      "WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4=": 1
    },
    "NumNodes": 1
  }
@ -122,7 +122,7 @@ The table below shows this endpoint's support for

 ```json
 {
-  "Key": "3lg9DxVfKNzI8O+IQ5Ek+Q=="
+  "Key": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
 }
 ```

@ -168,7 +168,7 @@ The table below shows this endpoint's support for

 ```json
 {
- "Key": "3lg9DxVfKNzI8O+IQ5Ek+Q=="
+ "Key": "WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4="
 }
 ```

@ -213,7 +213,7 @@ The table below shows this endpoint's support for

 ```json
 {
- "Key": "3lg9DxVfKNzI8O+IQ5Ek+Q=="
+ "Key": "WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4="
 }
 ```

--- a/website/source/docs/agent/encryption.html.md
+++ b/website/source/docs/agent/encryption.html.md
@ -20,13 +20,13 @@ starting the Consul agent. The key can be set via the `encrypt` parameter.

 ~> **WAN Joined Datacenters Note:** If using multiple WAN joined datacenters, be sure to use _the same encryption key_ in all datacenters.

-The key must be 16-bytes, Base64 encoded. As a convenience, Consul provides the
+The key must be 32-bytes, Base64 encoded. As a convenience, Consul provides the
 [`consul keygen`](/docs/commands/keygen.html) command to generate a
 cryptographically suitable key:

 ```text
 $ consul keygen
-cg8StVXbQJ0gPvMd9o7yrg==
+pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=
 ```

 With that key, you can enable encryption on the agent. If encryption is enabled,
@ -34,7 +34,7 @@ the output of [`consul agent`](/docs/commands/agent.html) will include "Encrypt:

 ```text
 $ cat encrypt.json
-{"encrypt": "cg8StVXbQJ0gPvMd9o7yrg=="}
+{"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="}

 $ consul agent -data-dir=/tmp/consul -config-file=encrypt.json
 ==> WARNING: LAN keyring exists but -encrypt given, using keyring
--- a/website/source/docs/agent/options.html.md
+++ b/website/source/docs/agent/options.html.md
@ -242,7 +242,7 @@ will exit with an error at startup.

 * <a name="_encrypt"></a><a href="#_encrypt">`-encrypt`</a> - Specifies the secret key to
  use for encryption of Consul
-  network traffic. This key must be 16-bytes that are Base64-encoded. The
+  network traffic. This key must be 32-bytes that are Base64-encoded. The
  easiest way to create an encryption key is to use
  [`consul keygen`](/docs/commands/keygen.html). All
  nodes within a cluster must share the same encryption key to communicate.
--- a/website/source/docs/guides/agent-encryption.html.md
+++ b/website/source/docs/guides/agent-encryption.html.md
@ -14,13 +14,13 @@ To complete the RPC encryption section, you must have [configured agent certific

 ## Gossip Encryption

-To enable gossip encryption, you need to use an encryption key when starting the Consul agent. The key can be simple set with the `encrypt` parameter in the agent configuration file. Alternatively, the encryption key can be placed in a seperate configuration file with only the `encrypt` field, since the agent can merge multiple configuration files. The key must be 16-bytes, Base64 encoded. 
+To enable gossip encryption, you need to use an encryption key when starting the Consul agent. The key can be simple set with the `encrypt` parameter in the agent configuration file. Alternatively, the encryption key can be placed in a seperate configuration file with only the `encrypt` field, since the agent can merge multiple configuration files. The key must be 32-bytes, Base64 encoded. 

 You can use the Consul CLI command, [`consul keygen`](/docs/commands/keygen.html), to generate a cryptographically suitable key.

 ```sh
 $ consul keygen
-cg8StVXbQJ0gPvMd9o7yrg==
+pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=
 ```

 ### Enable Gossip Encryption: New Cluster
@ -34,7 +34,7 @@ agent configuration file and then pass the file at startup with the [`-config-di
  "log_level": "INFO",
  "node_name": "bulldog",
  "server": true,
-  "encrypt": "JY34uTPZyfUE+6tinMYEVw=="
+  "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
 }
 ```

@ -64,7 +64,7 @@ Gossip encryption can also be enabled on an existing cluster, but requires sever

 ```sh
 $ consul keygen
-JY34uTPZyfUE+6tinMYEVw==
+pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=
 ```

 **Step 2**: Set the [`encrypt`](/docs/agent/options.html#_encrypt) key, and set `encrypt_verify_incoming` and `encrypt_verify_outgoing` to `false` in the agent configuration file. Then initiate a rolling update of the cluster with these new values. After this step, the agents will be able to decrypt gossip but will not yet be sending encrypted traffic.
@ -75,7 +75,7 @@ JY34uTPZyfUE+6tinMYEVw==
  "log_level": "INFO",
  "node_name": "bulldog",
  "server": true,
-  "encrypt": "JY34uTPZyfUE+6tinMYEVw==",
+  "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
  "encrypt_verify_incoming": false,
  "encrypt_verify_outgoing": false
 }
@ -91,7 +91,7 @@ A rolling update can be made by restarting the Consul agents (clients and server
  "log_level": "INFO",
  "node_name": "bulldog",
  "server": true,
-  "encrypt": "JY34uTPZyfUE+6tinMYEVw==",
+  "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
  "encrypt_verify_incoming": false,
  "encrypt_verify_outgoing": true
 }
@ -105,7 +105,7 @@ A rolling update can be made by restarting the Consul agents (clients and server
  "log_level": "INFO",
  "node_name": "bulldog",
  "server": true,
-  "encrypt": "JY34uTPZyfUE+6tinMYEVw==",
+  "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
  "encrypt_verify_incoming": true,
  "encrypt_verify_outgoing": true
 }
@ -139,7 +139,7 @@ After TLS has been configured on all the agents, you can start the agents and RP
  "log_level": "INFO",
  "node_name": "bulldog",
  "server": true,
-  "encrypt": "JY34uTPZyfUE+6tinMYEVw==",
+  "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
  "verify_incoming": true,
  "verify_outgoing": true,
  "verify_server_hostname": true,
@ -165,7 +165,7 @@ Enabling TLS on an existing cluster is supported. This process assumes a startin
  "log_level": "INFO",
  "node_name": "bulldog",
  "server": true,
-  "encrypt": "JY34uTPZyfUE+6tinMYEVw==",
+  "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
  "verify_incoming": false,
  "verify_outgoing": false,
  "ca_file": "consul-agent-ca.pem",
@ -187,7 +187,7 @@ Next, perform a rolling restart of each agent in the cluster. After this step, T
  "log_level": "INFO",
  "node_name": "bulldog",
  "server": true,
-  "encrypt": "JY34uTPZyfUE+6tinMYEVw==",
+  "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
  "verify_incoming": true,
  "verify_outgoing": true,
  "verify_server_hostname": true,
--- a/website/source/docs/guides/deployment-guide.html.md
+++ b/website/source/docs/guides/deployment-guide.html.md
@ -151,7 +151,7 @@ Add this configuration to the `consul.hcl` configuration file:
 ```hcl
 datacenter = "dc1"
 data_dir = "/opt/consul"
-encrypt = "Luj2FZWwlt8475wD1WtwUQ=="
+encrypt = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
 ```

 - [`datacenter`](/docs/agent/options.html#_datacenter) - The datacenter in which the agent is running.