open-nomad/website/source/docs/agent/encryption.html.md

55 lines
2 KiB
Markdown
Raw Normal View History

2016-11-01 22:50:12 +00:00
---
layout: "docs"
2016-11-02 00:40:42 +00:00
page_title: "Gossip and RPC Encryption"
2016-11-01 22:50:12 +00:00
sidebar_current: "docs-agent-encryption"
description: |-
2016-11-02 00:40:42 +00:00
Learn how to configure Nomad to encrypt both its gossip traffic and its RPC
traffic.
2016-11-01 22:50:12 +00:00
---
2016-11-02 00:40:42 +00:00
# Encryption
2016-11-01 22:50:12 +00:00
The Nomad agent supports encrypting all of its network traffic. There are
2016-11-02 00:40:42 +00:00
two separate encryption systems, one for gossip traffic, and one for RPC.
2016-11-01 22:50:12 +00:00
2016-11-02 00:40:42 +00:00
## Gossip
2016-11-01 22:50:12 +00:00
Enabling gossip encryption only requires that you set an encryption key when
2016-11-02 00:40:42 +00:00
starting the Nomad server. The key can be set via the
[`encrypt`](/docs/agent/configuration/server.html#encrypt) parameter: the value
of this setting is a server configuration file containing the encryption key.
2016-11-01 22:50:12 +00:00
2016-11-02 00:40:42 +00:00
The key must be 16-bytes, base64 encoded. As a convenience, Nomad provides the
2016-11-01 22:50:12 +00:00
[`nomad keygen`](/docs/commands/keygen.html) command to generate a cryptographically suitable key:
2016-11-02 00:40:42 +00:00
```shell
2016-11-01 22:50:12 +00:00
$ nomad keygen
cg8StVXbQJ0gPvMd9o7yrg==
```
With that key, you can enable gossip encryption on the agent.
2016-11-02 00:40:42 +00:00
## RPC and Raft Encryption with TLS
2016-11-01 22:50:12 +00:00
Nomad supports using TLS to verify the authenticity of servers and clients. To
enable this, Nomad requires that all clients and servers have key pairs that are
2016-11-02 00:40:42 +00:00
generated and signed by a Certificate Authority. This can be a private CA.
2016-11-01 22:50:12 +00:00
2016-11-02 00:40:42 +00:00
TLS can be used to verify the authenticity of the servers and clients. The
configuration option [`verify_server_hostname`][tls] causes Nomad to verify that
a certificate is provided that is signed by the Certificate Authority from the
[`ca_file`][tls] for TLS connections.
2016-11-01 22:50:12 +00:00
2016-11-02 00:40:42 +00:00
If `verify_server_hostname` is set, then outgoing connections perform
2016-11-01 22:50:12 +00:00
hostname verification. All servers must have a certificate valid for
2016-11-04 15:14:40 +00:00
`server.<region>.nomad` or the client will reject the handshake. It is also
2016-11-01 22:50:12 +00:00
recommended for the certificate to sign `localhost` such that the CLI can
validate the server name.
TLS is used to secure the RPC calls between agents, but gossip between nodes is
done over UDP and is secured using a symmetric key. See above for enabling
gossip encryption.
2016-11-02 00:40:42 +00:00
[tls]: /docs/agent/configuration/tls.html "Nomad TLS Configuration"