2016-11-01 22:50:12 +00:00
|
|
|
---
|
|
|
|
layout: "docs"
|
2016-11-02 00:40:42 +00:00
|
|
|
page_title: "Gossip and RPC Encryption"
|
2016-11-01 22:50:12 +00:00
|
|
|
sidebar_current: "docs-agent-encryption"
|
|
|
|
description: |-
|
2016-11-16 22:49:29 +00:00
|
|
|
Learn how to configure Nomad to encrypt HTTP, RPC, and Serf traffic.
|
2016-11-01 22:50:12 +00:00
|
|
|
---
|
|
|
|
|
2016-11-02 00:40:42 +00:00
|
|
|
# Encryption
|
|
|
|
|
2016-11-01 22:50:12 +00:00
|
|
|
The Nomad agent supports encrypting all of its network traffic. There are
|
2016-11-11 00:58:53 +00:00
|
|
|
two separate encryption systems, one for gossip traffic, and one for HTTP and
|
|
|
|
RPC.
|
2016-11-01 22:50:12 +00:00
|
|
|
|
2016-11-02 00:40:42 +00:00
|
|
|
## Gossip
|
2016-11-01 22:50:12 +00:00
|
|
|
|
|
|
|
Enabling gossip encryption only requires that you set an encryption key when
|
2016-11-02 00:40:42 +00:00
|
|
|
starting the Nomad server. The key can be set via the
|
2016-11-01 12:53:13 +00:00
|
|
|
[`encrypt`](/docs/agent/configuration/server.html#encrypt) parameter: the value
|
|
|
|
of this setting is a server configuration file containing the encryption key.
|
2016-11-01 22:50:12 +00:00
|
|
|
|
2017-07-17 18:41:50 +00:00
|
|
|
The key must be 16 bytes, base64 encoded. As a convenience, Nomad provides the
|
2016-11-01 22:50:12 +00:00
|
|
|
[`nomad keygen`](/docs/commands/keygen.html) command to generate a cryptographically suitable key:
|
|
|
|
|
2016-11-17 18:05:14 +00:00
|
|
|
```sh
|
2016-11-01 22:50:12 +00:00
|
|
|
$ nomad keygen
|
|
|
|
cg8StVXbQJ0gPvMd9o7yrg==
|
|
|
|
```
|
|
|
|
|
|
|
|
With that key, you can enable gossip encryption on the agent.
|
|
|
|
|
|
|
|
|
2016-11-11 00:58:53 +00:00
|
|
|
## HTTP, RPC, and Raft Encryption with TLS
|
2016-11-01 22:50:12 +00:00
|
|
|
|
|
|
|
Nomad supports using TLS to verify the authenticity of servers and clients. To
|
|
|
|
enable this, Nomad requires that all clients and servers have key pairs that are
|
2017-07-27 23:03:38 +00:00
|
|
|
generated and signed by a private Certificate Authority (CA).
|
2016-11-01 22:50:12 +00:00
|
|
|
|
2016-11-02 00:40:42 +00:00
|
|
|
TLS can be used to verify the authenticity of the servers and clients. The
|
|
|
|
configuration option [`verify_server_hostname`][tls] causes Nomad to verify that
|
|
|
|
a certificate is provided that is signed by the Certificate Authority from the
|
|
|
|
[`ca_file`][tls] for TLS connections.
|
2016-11-01 22:50:12 +00:00
|
|
|
|
2016-11-02 00:40:42 +00:00
|
|
|
If `verify_server_hostname` is set, then outgoing connections perform
|
2016-11-11 00:58:53 +00:00
|
|
|
hostname verification. Unlike traditional HTTPS browser validation, all servers
|
|
|
|
must have a certificate valid for `server.<region>.nomad` or the client will
|
|
|
|
reject the handshake. It is also recommended for the certificate to sign
|
|
|
|
`localhost` such that the CLI can validate the server name.
|
2016-11-01 22:50:12 +00:00
|
|
|
|
|
|
|
TLS is used to secure the RPC calls between agents, but gossip between nodes is
|
|
|
|
done over UDP and is secured using a symmetric key. See above for enabling
|
|
|
|
gossip encryption.
|
2016-11-02 00:40:42 +00:00
|
|
|
|
2017-04-18 16:04:06 +00:00
|
|
|
### Configuring the command line tool
|
|
|
|
|
|
|
|
If you have HTTPS enabled for your Nomad agent, you must export environment
|
|
|
|
variables for the command line tool to also use HTTPS:
|
|
|
|
|
|
|
|
```sh
|
|
|
|
# NOMAD_ADDR defaults to http://, so set it to https
|
|
|
|
# Alternatively you can use the -address flag
|
|
|
|
export NOMAD_ADDR=https://127.0.0.1:4646
|
|
|
|
|
|
|
|
# Set the location of your CA certificate
|
|
|
|
# Alternatively you can use the -ca-cert flag
|
|
|
|
export NOMAD_CACERT=/path/to/ca.pem
|
|
|
|
```
|
|
|
|
|
|
|
|
Run any command except `agent` with `-h` to see all environment variables and
|
|
|
|
flags. For example: `nomad status -h`
|
|
|
|
|
2017-05-03 00:10:16 +00:00
|
|
|
By default HTTPS does not validate client certificates, so you do not need to
|
2017-04-18 16:04:06 +00:00
|
|
|
give the command line tool access to any private keys.
|
|
|
|
|
2017-05-03 00:10:16 +00:00
|
|
|
### Network Isolation with TLS
|
|
|
|
|
|
|
|
If you want to isolate Nomad agents on a network with TLS you need to enable
|
|
|
|
both [`verify_https_client`][tls] and [`verify_server_hostname`][tls]. This
|
|
|
|
will cause agents to require client certificates for all incoming HTTPS
|
|
|
|
connections as well as verify proper names on all other certificates.
|
|
|
|
|
|
|
|
Consul will not attempt to health check agents with `verify_https_client` set
|
|
|
|
as it is unable to use client certificates.
|
|
|
|
|
2017-07-27 23:03:38 +00:00
|
|
|
# Configuring Nomad with TLS
|
2016-11-11 00:58:53 +00:00
|
|
|
|
2017-08-17 23:39:19 +00:00
|
|
|
Read the [Securing Nomad with TLS Guide][guide] for details on how to configure
|
2017-07-27 23:03:38 +00:00
|
|
|
encryption for Nomad.
|
2016-11-11 00:58:53 +00:00
|
|
|
|
2017-08-17 23:39:19 +00:00
|
|
|
[guide]: /guides/securing-nomad.html "Securing Nomad with TLS"
|
2016-11-17 18:04:24 +00:00
|
|
|
[tls]: /docs/agent/configuration/tls.html "Nomad TLS Configuration"
|