Update default gossip encryption key size to 32 bytes
This commit is contained in:
parent
4407ec5faf
commit
00157a2c1f
|
@ -407,11 +407,11 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
|
|||
{
|
||||
desc: "-encrypt",
|
||||
args: []string{
|
||||
`-encrypt=i0P+gFTkLPg0h53eNYjydg==`,
|
||||
`-encrypt=pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=`,
|
||||
`-data-dir=` + dataDir,
|
||||
},
|
||||
patch: func(rt *RuntimeConfig) {
|
||||
rt.EncryptKey = "i0P+gFTkLPg0h53eNYjydg=="
|
||||
rt.EncryptKey = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
|
||||
rt.DataDir = dataDir
|
||||
},
|
||||
},
|
||||
|
@ -2104,14 +2104,14 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
|
|||
args: []string{
|
||||
`-data-dir=` + dataDir,
|
||||
},
|
||||
json: []string{`{ "encrypt": "i0P+gFTkLPg0h53eNYjydg==" }`},
|
||||
hcl: []string{` encrypt = "i0P+gFTkLPg0h53eNYjydg==" `},
|
||||
json: []string{`{ "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" }`},
|
||||
hcl: []string{` encrypt = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" `},
|
||||
patch: func(rt *RuntimeConfig) {
|
||||
rt.EncryptKey = "i0P+gFTkLPg0h53eNYjydg=="
|
||||
rt.EncryptKey = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
|
||||
rt.DataDir = dataDir
|
||||
},
|
||||
pre: func() {
|
||||
writeFile(filepath.Join(dataDir, SerfLANKeyring), []byte("i0P+gFTkLPg0h53eNYjydg=="))
|
||||
writeFile(filepath.Join(dataDir, SerfLANKeyring), []byte("pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="))
|
||||
},
|
||||
warns: []string{`WARNING: LAN keyring exists but -encrypt given, using keyring`},
|
||||
},
|
||||
|
@ -2120,17 +2120,17 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
|
|||
args: []string{
|
||||
`-data-dir=` + dataDir,
|
||||
},
|
||||
json: []string{`{ "encrypt": "i0P+gFTkLPg0h53eNYjydg==", "server": true }`},
|
||||
hcl: []string{` encrypt = "i0P+gFTkLPg0h53eNYjydg==" server = true `},
|
||||
json: []string{`{ "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=", "server": true }`},
|
||||
hcl: []string{` encrypt = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" server = true `},
|
||||
patch: func(rt *RuntimeConfig) {
|
||||
rt.EncryptKey = "i0P+gFTkLPg0h53eNYjydg=="
|
||||
rt.EncryptKey = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
|
||||
rt.ServerMode = true
|
||||
rt.LeaveOnTerm = false
|
||||
rt.SkipLeaveOnInt = true
|
||||
rt.DataDir = dataDir
|
||||
},
|
||||
pre: func() {
|
||||
writeFile(filepath.Join(dataDir, SerfWANKeyring), []byte("i0P+gFTkLPg0h53eNYjydg=="))
|
||||
writeFile(filepath.Join(dataDir, SerfWANKeyring), []byte("pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="))
|
||||
},
|
||||
warns: []string{`WARNING: WAN keyring exists but -encrypt given, using keyring`},
|
||||
},
|
||||
|
|
|
@ -32,13 +32,13 @@ func (c *cmd) Run(args []string) int {
|
|||
return 1
|
||||
}
|
||||
|
||||
key := make([]byte, 16)
|
||||
key := make([]byte, 32)
|
||||
n, err := rand.Reader.Read(key)
|
||||
if err != nil {
|
||||
c.UI.Error(fmt.Sprintf("Error reading random data: %s", err))
|
||||
return 1
|
||||
}
|
||||
if n != 16 {
|
||||
if n != 32 {
|
||||
c.UI.Error(fmt.Sprintf("Couldn't read enough entropy. Generate more entropy!"))
|
||||
return 1
|
||||
}
|
||||
|
@ -59,7 +59,7 @@ const synopsis = "Generates a new encryption key"
|
|||
const help = `
|
||||
Usage: consul keygen
|
||||
|
||||
Generates a new encryption key that can be used to configure the
|
||||
Generates a new 32-byte encryption key that can be used to configure the
|
||||
agent to encrypt traffic. The output of this command is already
|
||||
in the proper format that the agent expects.
|
||||
`
|
||||
|
|
|
@ -29,8 +29,7 @@ func TestKeygenCommand(t *testing.T) {
|
|||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
|
||||
if len(result) != 16 {
|
||||
if len(result) != 32 {
|
||||
t.Fatalf("bad: %#v", result)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -58,9 +58,9 @@ $ curl \
|
|||
"Datacenter": "dc1",
|
||||
"Segment": "",
|
||||
"Keys": {
|
||||
"0eK8RjnsGC/+I1fJErQsBA==": 1,
|
||||
"G/3/L4yOw3e5T7NTvuRi9g==": 1,
|
||||
"z90lFx3sZZLtTOkutXcwYg==": 1
|
||||
"pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=": 1,
|
||||
"ZWTL+bgjHyQPhJRKcFe3ccirc2SFHmc/Nw67l8NQfdk=": 1,
|
||||
"WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4=": 1
|
||||
},
|
||||
"NumNodes": 1
|
||||
},
|
||||
|
@ -69,9 +69,9 @@ $ curl \
|
|||
"Datacenter": "dc1",
|
||||
"Segment": "",
|
||||
"Keys": {
|
||||
"0eK8RjnsGC/+I1fJErQsBA==": 1,
|
||||
"G/3/L4yOw3e5T7NTvuRi9g==": 1,
|
||||
"z90lFx3sZZLtTOkutXcwYg==": 1
|
||||
"pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=": 1,
|
||||
"ZWTL+bgjHyQPhJRKcFe3ccirc2SFHmc/Nw67l8NQfdk=": 1,
|
||||
"WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4=": 1
|
||||
},
|
||||
"NumNodes": 1
|
||||
}
|
||||
|
@ -122,7 +122,7 @@ The table below shows this endpoint's support for
|
|||
|
||||
```json
|
||||
{
|
||||
"Key": "3lg9DxVfKNzI8O+IQ5Ek+Q=="
|
||||
"Key": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
|
||||
}
|
||||
```
|
||||
|
||||
|
@ -168,7 +168,7 @@ The table below shows this endpoint's support for
|
|||
|
||||
```json
|
||||
{
|
||||
"Key": "3lg9DxVfKNzI8O+IQ5Ek+Q=="
|
||||
"Key": "WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4="
|
||||
}
|
||||
```
|
||||
|
||||
|
@ -213,7 +213,7 @@ The table below shows this endpoint's support for
|
|||
|
||||
```json
|
||||
{
|
||||
"Key": "3lg9DxVfKNzI8O+IQ5Ek+Q=="
|
||||
"Key": "WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4="
|
||||
}
|
||||
```
|
||||
|
||||
|
|
|
@ -20,13 +20,13 @@ starting the Consul agent. The key can be set via the `encrypt` parameter.
|
|||
|
||||
~> **WAN Joined Datacenters Note:** If using multiple WAN joined datacenters, be sure to use _the same encryption key_ in all datacenters.
|
||||
|
||||
The key must be 16-bytes, Base64 encoded. As a convenience, Consul provides the
|
||||
The key must be 32-bytes, Base64 encoded. As a convenience, Consul provides the
|
||||
[`consul keygen`](/docs/commands/keygen.html) command to generate a
|
||||
cryptographically suitable key:
|
||||
|
||||
```text
|
||||
$ consul keygen
|
||||
cg8StVXbQJ0gPvMd9o7yrg==
|
||||
pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=
|
||||
```
|
||||
|
||||
With that key, you can enable encryption on the agent. If encryption is enabled,
|
||||
|
@ -34,7 +34,7 @@ the output of [`consul agent`](/docs/commands/agent.html) will include "Encrypt:
|
|||
|
||||
```text
|
||||
$ cat encrypt.json
|
||||
{"encrypt": "cg8StVXbQJ0gPvMd9o7yrg=="}
|
||||
{"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="}
|
||||
|
||||
$ consul agent -data-dir=/tmp/consul -config-file=encrypt.json
|
||||
==> WARNING: LAN keyring exists but -encrypt given, using keyring
|
||||
|
|
|
@ -242,7 +242,7 @@ will exit with an error at startup.
|
|||
|
||||
* <a name="_encrypt"></a><a href="#_encrypt">`-encrypt`</a> - Specifies the secret key to
|
||||
use for encryption of Consul
|
||||
network traffic. This key must be 16-bytes that are Base64-encoded. The
|
||||
network traffic. This key must be 32-bytes that are Base64-encoded. The
|
||||
easiest way to create an encryption key is to use
|
||||
[`consul keygen`](/docs/commands/keygen.html). All
|
||||
nodes within a cluster must share the same encryption key to communicate.
|
||||
|
|
|
@ -14,13 +14,13 @@ To complete the RPC encryption section, you must have [configured agent certific
|
|||
|
||||
## Gossip Encryption
|
||||
|
||||
To enable gossip encryption, you need to use an encryption key when starting the Consul agent. The key can be simple set with the `encrypt` parameter in the agent configuration file. Alternatively, the encryption key can be placed in a seperate configuration file with only the `encrypt` field, since the agent can merge multiple configuration files. The key must be 16-bytes, Base64 encoded.
|
||||
To enable gossip encryption, you need to use an encryption key when starting the Consul agent. The key can be simple set with the `encrypt` parameter in the agent configuration file. Alternatively, the encryption key can be placed in a seperate configuration file with only the `encrypt` field, since the agent can merge multiple configuration files. The key must be 32-bytes, Base64 encoded.
|
||||
|
||||
You can use the Consul CLI command, [`consul keygen`](/docs/commands/keygen.html), to generate a cryptographically suitable key.
|
||||
|
||||
```sh
|
||||
$ consul keygen
|
||||
cg8StVXbQJ0gPvMd9o7yrg==
|
||||
pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=
|
||||
```
|
||||
|
||||
### Enable Gossip Encryption: New Cluster
|
||||
|
@ -34,7 +34,7 @@ agent configuration file and then pass the file at startup with the [`-config-di
|
|||
"log_level": "INFO",
|
||||
"node_name": "bulldog",
|
||||
"server": true,
|
||||
"encrypt": "JY34uTPZyfUE+6tinMYEVw=="
|
||||
"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
|
||||
}
|
||||
```
|
||||
|
||||
|
@ -64,7 +64,7 @@ Gossip encryption can also be enabled on an existing cluster, but requires sever
|
|||
|
||||
```sh
|
||||
$ consul keygen
|
||||
JY34uTPZyfUE+6tinMYEVw==
|
||||
pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=
|
||||
```
|
||||
|
||||
**Step 2**: Set the [`encrypt`](/docs/agent/options.html#_encrypt) key, and set `encrypt_verify_incoming` and `encrypt_verify_outgoing` to `false` in the agent configuration file. Then initiate a rolling update of the cluster with these new values. After this step, the agents will be able to decrypt gossip but will not yet be sending encrypted traffic.
|
||||
|
@ -75,7 +75,7 @@ JY34uTPZyfUE+6tinMYEVw==
|
|||
"log_level": "INFO",
|
||||
"node_name": "bulldog",
|
||||
"server": true,
|
||||
"encrypt": "JY34uTPZyfUE+6tinMYEVw==",
|
||||
"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
|
||||
"encrypt_verify_incoming": false,
|
||||
"encrypt_verify_outgoing": false
|
||||
}
|
||||
|
@ -91,7 +91,7 @@ A rolling update can be made by restarting the Consul agents (clients and server
|
|||
"log_level": "INFO",
|
||||
"node_name": "bulldog",
|
||||
"server": true,
|
||||
"encrypt": "JY34uTPZyfUE+6tinMYEVw==",
|
||||
"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
|
||||
"encrypt_verify_incoming": false,
|
||||
"encrypt_verify_outgoing": true
|
||||
}
|
||||
|
@ -105,7 +105,7 @@ A rolling update can be made by restarting the Consul agents (clients and server
|
|||
"log_level": "INFO",
|
||||
"node_name": "bulldog",
|
||||
"server": true,
|
||||
"encrypt": "JY34uTPZyfUE+6tinMYEVw==",
|
||||
"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
|
||||
"encrypt_verify_incoming": true,
|
||||
"encrypt_verify_outgoing": true
|
||||
}
|
||||
|
@ -139,7 +139,7 @@ After TLS has been configured on all the agents, you can start the agents and RP
|
|||
"log_level": "INFO",
|
||||
"node_name": "bulldog",
|
||||
"server": true,
|
||||
"encrypt": "JY34uTPZyfUE+6tinMYEVw==",
|
||||
"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
|
||||
"verify_incoming": true,
|
||||
"verify_outgoing": true,
|
||||
"verify_server_hostname": true,
|
||||
|
@ -165,7 +165,7 @@ Enabling TLS on an existing cluster is supported. This process assumes a startin
|
|||
"log_level": "INFO",
|
||||
"node_name": "bulldog",
|
||||
"server": true,
|
||||
"encrypt": "JY34uTPZyfUE+6tinMYEVw==",
|
||||
"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
|
||||
"verify_incoming": false,
|
||||
"verify_outgoing": false,
|
||||
"ca_file": "consul-agent-ca.pem",
|
||||
|
@ -187,7 +187,7 @@ Next, perform a rolling restart of each agent in the cluster. After this step, T
|
|||
"log_level": "INFO",
|
||||
"node_name": "bulldog",
|
||||
"server": true,
|
||||
"encrypt": "JY34uTPZyfUE+6tinMYEVw==",
|
||||
"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
|
||||
"verify_incoming": true,
|
||||
"verify_outgoing": true,
|
||||
"verify_server_hostname": true,
|
||||
|
|
|
@ -151,7 +151,7 @@ Add this configuration to the `consul.hcl` configuration file:
|
|||
```hcl
|
||||
datacenter = "dc1"
|
||||
data_dir = "/opt/consul"
|
||||
encrypt = "Luj2FZWwlt8475wD1WtwUQ=="
|
||||
encrypt = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
|
||||
```
|
||||
|
||||
- [`datacenter`](/docs/agent/options.html#_datacenter) - The datacenter in which the agent is running.
|
||||
|
|
Loading…
Reference in New Issue