open-nomad/website/source/docs/agent/encryption.html.md

---
layout: "docs"
page_title: "Encryption"
sidebar_current: "docs-agent-encryption"
description: |-
  Learn about the encryption in Nomad.
---

The Nomad agent supports encrypting all of its network traffic. There are
two separate encryption systems, one for gossip traffic and one for RPC.

# Gossip Encryption

Enabling gossip encryption only requires that you set an encryption key when
starting the Nomad server agent. The key can be set via the [`encrypt`](/docs/agent/config.html#encrypt) parameter: the
value of this setting is a server configuration file containing the encryption key.

The key must be 16-bytes, Base64 encoded. As a convenience, Nomad provides the
[`nomad keygen`](/docs/commands/keygen.html) command to generate a cryptographically suitable key:

```
$ nomad keygen
cg8StVXbQJ0gPvMd9o7yrg==

```

With that key, you can enable gossip encryption on the agent.


# RPC Encryption with TLS

Nomad supports using TLS to verify the authenticity of servers and clients. To
enable this, Nomad requires that all clients and servers have key pairs that are
generated and signed by a Certificate Authority. This can be a private CA, used
only internally. 

TLS can be used to verify the authenticity of the servers or verify the
authenticity of clients. The configuration option `verify_server_hostname` makes
the Nomad server verify that the client has the same name as mentionioned in the
certificate.

Also if `verify_server_hostname` is set, then outgoing connections perform
hostname verification. All servers must have a certificate valid for
"server.<region>.nomad" or the client will reject the handshake. It is also
recommended for the certificate to sign `localhost` such that the CLI can
validate the server name.

TLS is used to secure the RPC calls between agents, but gossip between nodes is
done over UDP and is secured using a symmetric key. See above for enabling
gossip encryption.
Added docs for encryption 2016-11-01 22:50:12 +00:00			`---`
			`layout: "docs"`
			`page_title: "Encryption"`
			`sidebar_current: "docs-agent-encryption"`
			`description: \|-`
			`Learn about the encryption in Nomad.`
			`---`

			`The Nomad agent supports encrypting all of its network traffic. There are`
			`two separate encryption systems, one for gossip traffic and one for RPC.`

			`# Gossip Encryption`

			`Enabling gossip encryption only requires that you set an encryption key when`
			starting the Nomad server agent. The key can be set via the [`encrypt`](/docs/agent/config.html#encrypt) parameter: the
			`value of this setting is a server configuration file containing the encryption key.`

			`The key must be 16-bytes, Base64 encoded. As a convenience, Nomad provides the`
			[`nomad keygen`](/docs/commands/keygen.html) command to generate a cryptographically suitable key:

			```
			`$ nomad keygen`
			`cg8StVXbQJ0gPvMd9o7yrg==`

			```

			`With that key, you can enable gossip encryption on the agent.`


			`# RPC Encryption with TLS`

			`Nomad supports using TLS to verify the authenticity of servers and clients. To`
			`enable this, Nomad requires that all clients and servers have key pairs that are`
			`generated and signed by a Certificate Authority. This can be a private CA, used`
			`only internally.`

			`TLS can be used to verify the authenticity of the servers or verify the`
			authenticity of clients. The configuration option `verify_server_hostname` makes
			`the Nomad server verify that the client has the same name as mentionioned in the`
			`certificate.`

			Also if `verify_server_hostname` is set, then outgoing connections perform
			`hostname verification. All servers must have a certificate valid for`
			`"server.<region>.nomad" or the client will reject the handshake. It is also`
			recommended for the certificate to sign `localhost` such that the CLI can
			`validate the server name.`

			`TLS is used to secure the RPC calls between agents, but gossip between nodes is`
			`done over UDP and is secured using a symmetric key. See above for enabling`
			`gossip encryption.`