2016-10-17 17:48:04 +00:00
|
|
|
---
|
|
|
|
layout: "docs"
|
2018-03-22 17:56:06 +00:00
|
|
|
page_title: "Commands: operator keyring"
|
|
|
|
sidebar_current: "docs-commands-operator-keyring"
|
2016-10-17 17:48:04 +00:00
|
|
|
---
|
|
|
|
|
2018-03-22 20:39:18 +00:00
|
|
|
# Command: operator keyring
|
2016-10-17 17:48:04 +00:00
|
|
|
|
2018-03-22 17:56:06 +00:00
|
|
|
The `operator keyring` command is used to examine and modify the encryption keys
|
|
|
|
used in Nomad server. It is capable of distributing new encryption keys to the
|
|
|
|
cluster, retiring old encryption keys, and changing the keys used by the cluster
|
|
|
|
to encrypt messages.
|
2016-10-17 17:48:04 +00:00
|
|
|
|
|
|
|
Nomad allows multiple encryption keys to be in use simultaneously. This is
|
|
|
|
intended to provide a transition state while the cluster converges. It is the
|
|
|
|
responsibility of the operator to ensure that only the required encryption keys
|
|
|
|
are installed on the cluster. You can review the installed keys using the
|
|
|
|
`-list` argument, and remove unneeded keys with `-remove`.
|
|
|
|
|
|
|
|
All operations performed by this command can only be run against server nodes
|
|
|
|
and will effect the entire cluster.
|
|
|
|
|
|
|
|
All variations of the `keyring` command return 0 if all nodes reply and there
|
|
|
|
are no errors. If any node fails to reply or reports failure, the exit code
|
|
|
|
will be 1.
|
|
|
|
|
|
|
|
|
|
|
|
## Usage
|
|
|
|
|
2018-03-22 17:56:06 +00:00
|
|
|
Usage: `nomad operator keyring [options]`
|
2016-10-17 17:48:04 +00:00
|
|
|
|
|
|
|
Only one actionable argument may be specified per run, including `-list`,
|
|
|
|
`-install`, `-remove`, and `-use`.
|
|
|
|
|
|
|
|
The list of available flags are:
|
|
|
|
|
|
|
|
* `-list` - List all keys currently in use within the cluster.
|
|
|
|
|
|
|
|
* `-install` - Install a new encryption key. This will broadcast the new key to
|
|
|
|
all members in the cluster.
|
|
|
|
|
|
|
|
* `-use` - Change the primary encryption key, which is used to encrypt messages.
|
|
|
|
The key must already be installed before this operation can succeed.
|
|
|
|
|
|
|
|
* `-remove` - Remove the given key from the cluster. This operation may only be
|
|
|
|
performed on keys which are not currently the primary key.
|
|
|
|
|
|
|
|
## Output
|
|
|
|
|
2018-03-22 17:56:06 +00:00
|
|
|
The output of the `nomad operator keyring -list` command consolidates information from
|
2016-10-17 17:48:04 +00:00
|
|
|
all the Nomad servers from all datacenters and regions to provide a simple and
|
|
|
|
easy to understand view of the cluster.
|
|
|
|
|
|
|
|
```
|
|
|
|
==> Gathering installed encryption keys...
|
|
|
|
Key
|
|
|
|
PGm64/neoebUBqYR/lZTbA==
|
|
|
|
```
|