open-nomad/website/source/docs/agent/encryption.html.md

---
layout: "docs"
page_title: "Gossip and RPC Encryption"
sidebar_current: "docs-agent-encryption"
description: |-
  Learn how to configure Nomad to encrypt HTTP, RPC, and Serf traffic.
---

# Encryption

The Nomad agent supports encrypting all of its network traffic. There are
two separate encryption systems, one for gossip traffic, and one for HTTP and
RPC.

## Gossip

Enabling gossip encryption only requires that you set an encryption key when
starting the Nomad server. The key can be set via the
[`encrypt`](/docs/agent/configuration/server.html#encrypt) parameter: the value
of this setting is a server configuration file containing the encryption key.

The key must be 16 bytes, base64 encoded. As a convenience, Nomad provides the
[`nomad operator keygen`](/docs/commands/operator/keygen.html) command to
generate a cryptographically suitable key:

```sh
$ nomad operator keygen
cg8StVXbQJ0gPvMd9o7yrg==
```

With that key, you can enable gossip encryption on the agent.


## HTTP, RPC, and Raft Encryption with TLS

Nomad supports using TLS to verify the authenticity of servers and clients. To
enable this, Nomad requires that all clients and servers have key pairs that are
generated and signed by a private Certificate Authority (CA).

TLS can be used to verify the authenticity of the servers and clients. The
configuration option [`verify_server_hostname`][tls] causes Nomad to verify that
a certificate is provided that is signed by the Certificate Authority from the
[`ca_file`][tls] for TLS connections.

If `verify_server_hostname` is set, then outgoing connections perform
hostname verification. Unlike traditional HTTPS browser validation, all servers
must have a certificate valid for `server.<region>.nomad` or the client will
reject the handshake. It is also recommended for the certificate to sign
`localhost` such that the CLI can validate the server name.

TLS is used to secure the RPC calls between agents, but gossip between nodes is
done over UDP and is secured using a symmetric key. See above for enabling
gossip encryption.

### Configuring the command line tool

If you have HTTPS enabled for your Nomad agent, you must export environment
variables for the command line tool to also use HTTPS:

```sh
# NOMAD_ADDR defaults to http://, so set it to https
# Alternatively you can use the -address flag
export NOMAD_ADDR=https://127.0.0.1:4646

# Set the location of your CA certificate
# Alternatively you can use the -ca-cert flag
export NOMAD_CACERT=/path/to/ca.pem
```

Run any command except `agent` with `-h` to see all environment variables and
flags. For example: `nomad status -h`

By default HTTPS does not validate client certificates, so you do not need to
give the command line tool access to any private keys.

### Network Isolation with TLS

If you want to isolate Nomad agents on a network with TLS you need to enable
both [`verify_https_client`][tls] and [`verify_server_hostname`][tls]. This
will cause agents to require client certificates for all incoming HTTPS
connections as well as verify proper names on all other certificates.

Consul will not attempt to health check agents with `verify_https_client` set
as it is unable to use client certificates.

# Configuring Nomad with TLS

Read the [Securing Nomad with TLS Guide][guide] for details on how to configure
encryption for Nomad.

[guide]: /guides/securing-nomad.html "Securing Nomad with TLS"
[tls]: /docs/agent/configuration/tls.html "Nomad TLS Configuration"
Added docs for encryption 2016-11-01 22:50:12 +00:00			`---`
			`layout: "docs"`
Respond to comments 2016-11-02 00:40:42 +00:00			`page_title: "Gossip and RPC Encryption"`
Added docs for encryption 2016-11-01 22:50:12 +00:00			`sidebar_current: "docs-agent-encryption"`
			`description: \|-`
Fix review comments 2016-11-16 22:49:29 +00:00			`Learn how to configure Nomad to encrypt HTTP, RPC, and Serf traffic.`
Added docs for encryption 2016-11-01 22:50:12 +00:00			`---`

Respond to comments 2016-11-02 00:40:42 +00:00			`# Encryption`

Added docs for encryption 2016-11-01 22:50:12 +00:00			`The Nomad agent supports encrypting all of its network traffic. There are`
Add docs for generating example certificates 2016-11-11 00:58:53 +00:00			`two separate encryption systems, one for gossip traffic, and one for HTTP and`
			`RPC.`
Added docs for encryption 2016-11-01 22:50:12 +00:00
Respond to comments 2016-11-02 00:40:42 +00:00			`## Gossip`
Added docs for encryption 2016-11-01 22:50:12 +00:00
			`Enabling gossip encryption only requires that you set an encryption key when`
Respond to comments 2016-11-02 00:40:42 +00:00			`starting the Nomad server. The key can be set via the`
Separate agent configuration into its own pages I apologize in advance for the rather long PR, but unfortunately there is not an easy way to break this up into smaller chunks. This separates the agent configuration into smaller, more consumable pieces just like the job specification. 2016-11-01 12:53:13 +00:00			[`encrypt`](/docs/agent/configuration/server.html#encrypt) parameter: the value
			`of this setting is a server configuration file containing the encryption key.`
Added docs for encryption 2016-11-01 22:50:12 +00:00
Spellcheck sweep of website directory Caught some typos. Made units separate from the numbers 1GHz -> 1 GHz after talking to Nick about questions of style (this has the side effect of making future spell checking easier). 2017-07-17 18:41:50 +00:00			`The key must be 16 bytes, base64 encoded. As a convenience, Nomad provides the`
Fix old references 2018-03-22 20:39:18 +00:00			[`nomad operator keygen`](/docs/commands/operator/keygen.html) command to
			`generate a cryptographically suitable key:`
Added docs for encryption 2016-11-01 22:50:12 +00:00
Use shell instead of sh 2016-11-17 18:05:14 +00:00			```sh
Fix old references 2018-03-22 20:39:18 +00:00			`$ nomad operator keygen`
Added docs for encryption 2016-11-01 22:50:12 +00:00			`cg8StVXbQJ0gPvMd9o7yrg==`
			```

			`With that key, you can enable gossip encryption on the agent.`


Add docs for generating example certificates 2016-11-11 00:58:53 +00:00			`## HTTP, RPC, and Raft Encryption with TLS`
Added docs for encryption 2016-11-01 22:50:12 +00:00
			`Nomad supports using TLS to verify the authenticity of servers and clients. To`
			`enable this, Nomad requires that all clients and servers have key pairs that are`
Remove old example tls config It didn't work in cfssl 1.2 anyway (required building from cfssl master). 2017-07-27 23:03:38 +00:00			`generated and signed by a private Certificate Authority (CA).`
Added docs for encryption 2016-11-01 22:50:12 +00:00
Respond to comments 2016-11-02 00:40:42 +00:00			`TLS can be used to verify the authenticity of the servers and clients. The`
			configuration option [`verify_server_hostname`][tls] causes Nomad to verify that
			`a certificate is provided that is signed by the Certificate Authority from the`
			[`ca_file`][tls] for TLS connections.
Added docs for encryption 2016-11-01 22:50:12 +00:00
Respond to comments 2016-11-02 00:40:42 +00:00			If `verify_server_hostname` is set, then outgoing connections perform
Add docs for generating example certificates 2016-11-11 00:58:53 +00:00			`hostname verification. Unlike traditional HTTPS browser validation, all servers`
			must have a certificate valid for `server.<region>.nomad` or the client will
			`reject the handshake. It is also recommended for the certificate to sign`
			`localhost` such that the CLI can validate the server name.
Added docs for encryption 2016-11-01 22:50:12 +00:00
			`TLS is used to secure the RPC calls between agents, but gossip between nodes is`
			`done over UDP and is secured using a symmetric key. See above for enabling`
			`gossip encryption.`
Respond to comments 2016-11-02 00:40:42 +00:00
Mention required cli config when using tls Fixes #2571 2017-04-18 16:04:06 +00:00			`### Configuring the command line tool`

			`If you have HTTPS enabled for your Nomad agent, you must export environment`
			`variables for the command line tool to also use HTTPS:`

			```sh
			`# NOMAD_ADDR defaults to http://, so set it to https`
			`# Alternatively you can use the -address flag`
			`export NOMAD_ADDR=https://127.0.0.1:4646`

			`# Set the location of your CA certificate`
			`# Alternatively you can use the -ca-cert flag`
			`export NOMAD_CACERT=/path/to/ca.pem`
			```

			Run any command except `agent` with `-h` to see all environment variables and
			flags. For example: `nomad status -h`

Document verify_https_client 2017-05-03 00:10:16 +00:00			`By default HTTPS does not validate client certificates, so you do not need to`
Mention required cli config when using tls Fixes #2571 2017-04-18 16:04:06 +00:00			`give the command line tool access to any private keys.`

Document verify_https_client 2017-05-03 00:10:16 +00:00			`### Network Isolation with TLS`

			`If you want to isolate Nomad agents on a network with TLS you need to enable`
			both [`verify_https_client`][tls] and [`verify_server_hostname`][tls]. This
			`will cause agents to require client certificates for all incoming HTTPS`
			`connections as well as verify proper names on all other certificates.`

			Consul will not attempt to health check agents with `verify_https_client` set
			`as it is unable to use client certificates.`

Remove old example tls config It didn't work in cfssl 1.2 anyway (required building from cfssl master). 2017-07-27 23:03:38 +00:00			`# Configuring Nomad with TLS`
Add docs for generating example certificates 2016-11-11 00:58:53 +00:00
Fix broken link 2017-08-17 23:39:19 +00:00			`Read the [Securing Nomad with TLS Guide][guide] for details on how to configure`
Remove old example tls config It didn't work in cfssl 1.2 anyway (required building from cfssl master). 2017-07-27 23:03:38 +00:00			`encryption for Nomad.`
Add docs for generating example certificates 2016-11-11 00:58:53 +00:00
Fix broken link 2017-08-17 23:39:19 +00:00			`[guide]: /guides/securing-nomad.html "Securing Nomad with TLS"`
Move link to bottom 2016-11-17 18:04:24 +00:00			`[tls]: /docs/agent/configuration/tls.html "Nomad TLS Configuration"`