2016-11-01 22:50:12 +00:00
|
|
|
---
|
|
|
|
layout: "docs"
|
2016-11-02 00:40:42 +00:00
|
|
|
page_title: "Gossip and RPC Encryption"
|
2016-11-01 22:50:12 +00:00
|
|
|
sidebar_current: "docs-agent-encryption"
|
|
|
|
description: |-
|
2016-11-02 00:40:42 +00:00
|
|
|
Learn how to configure Nomad to encrypt both its gossip traffic and its RPC
|
|
|
|
traffic.
|
2016-11-01 22:50:12 +00:00
|
|
|
---
|
|
|
|
|
2016-11-02 00:40:42 +00:00
|
|
|
# Encryption
|
|
|
|
|
2016-11-01 22:50:12 +00:00
|
|
|
The Nomad agent supports encrypting all of its network traffic. There are
|
2016-11-02 00:40:42 +00:00
|
|
|
two separate encryption systems, one for gossip traffic, and one for RPC.
|
2016-11-01 22:50:12 +00:00
|
|
|
|
2016-11-02 00:40:42 +00:00
|
|
|
## Gossip
|
2016-11-01 22:50:12 +00:00
|
|
|
|
|
|
|
Enabling gossip encryption only requires that you set an encryption key when
|
2016-11-02 00:40:42 +00:00
|
|
|
starting the Nomad server. The key can be set via the
|
|
|
|
[`encrypt`](/docs/agent/config.html#encrypt) parameter: the value of this
|
|
|
|
setting is a server configuration file containing the encryption key.
|
2016-11-01 22:50:12 +00:00
|
|
|
|
2016-11-02 00:40:42 +00:00
|
|
|
The key must be 16-bytes, base64 encoded. As a convenience, Nomad provides the
|
2016-11-01 22:50:12 +00:00
|
|
|
[`nomad keygen`](/docs/commands/keygen.html) command to generate a cryptographically suitable key:
|
|
|
|
|
2016-11-02 00:40:42 +00:00
|
|
|
```shell
|
2016-11-01 22:50:12 +00:00
|
|
|
$ nomad keygen
|
|
|
|
cg8StVXbQJ0gPvMd9o7yrg==
|
|
|
|
```
|
|
|
|
|
|
|
|
With that key, you can enable gossip encryption on the agent.
|
|
|
|
|
|
|
|
|
2016-11-02 00:40:42 +00:00
|
|
|
## RPC and Raft Encryption with TLS
|
2016-11-01 22:50:12 +00:00
|
|
|
|
|
|
|
Nomad supports using TLS to verify the authenticity of servers and clients. To
|
|
|
|
enable this, Nomad requires that all clients and servers have key pairs that are
|
2016-11-02 00:40:42 +00:00
|
|
|
generated and signed by a Certificate Authority. This can be a private CA.
|
2016-11-01 22:50:12 +00:00
|
|
|
|
2016-11-02 00:40:42 +00:00
|
|
|
TLS can be used to verify the authenticity of the servers and clients. The
|
|
|
|
configuration option [`verify_server_hostname`][tls] causes Nomad to verify that
|
|
|
|
a certificate is provided that is signed by the Certificate Authority from the
|
|
|
|
[`ca_file`][tls] for TLS connections.
|
2016-11-01 22:50:12 +00:00
|
|
|
|
2016-11-02 00:40:42 +00:00
|
|
|
If `verify_server_hostname` is set, then outgoing connections perform
|
2016-11-01 22:50:12 +00:00
|
|
|
hostname verification. All servers must have a certificate valid for
|
|
|
|
"server.<region>.nomad" or the client will reject the handshake. It is also
|
|
|
|
recommended for the certificate to sign `localhost` such that the CLI can
|
|
|
|
validate the server name.
|
|
|
|
|
|
|
|
TLS is used to secure the RPC calls between agents, but gossip between nodes is
|
|
|
|
done over UDP and is secured using a symmetric key. See above for enabling
|
|
|
|
gossip encryption.
|
2016-11-02 00:40:42 +00:00
|
|
|
|
|
|
|
[tls]: http://127.0.0.1:4567/docs/agent/config.html#tls-options "Nomad TLS Configuration"
|