Generate 32-byte gossip key for nomad operator keygen command

The key generated from this command is used for gossip encrpytion, which utilizes AES GCM encryption. Using a key size of 16-bytes enables AES-128 while a key size of 32 bytes enables AES-256. The underlying memberlist library supports the larger key size, and is ultimatley preferable from a security standpoint. Consul also uses 32 bytes by default: 1a14b94441
2020-09-30 17:02:37 -04:00 · 2020-09-30 17:02:37 -04:00 · 6cefe03359
parent fbcfccfc9e
commit 6cefe03359
1 changed files with 3 additions and 3 deletions
--- a/command/operator_keygen.go
+++ b/command/operator_keygen.go
@ -21,7 +21,7 @@ func (c *OperatorKeygenCommand) Help() string {
 	helpText := `
 Usage: nomad operator keygen

-  Generates a new encryption key that can be used to configure the
+  Generates a new 32-byte encryption key that can be used to configure the
  agent to encrypt traffic. The output of this command is already
  in the proper format that the agent expects.
 `
@ -31,13 +31,13 @@ Usage: nomad operator keygen
 func (c *OperatorKeygenCommand) Name() string { return "operator keygen" }

 func (c *OperatorKeygenCommand) Run(_ []string) int {
-	key := make([]byte, 16)
+	key := make([]byte, 32)
 	n, err := rand.Reader.Read(key)
 	if err != nil {
 		c.Ui.Error(fmt.Sprintf("Error reading random data: %s", err))
 		return 1
 	}
-	if n != 16 {
+	if n != 32 {
 		c.Ui.Error(fmt.Sprintf("Couldn't read enough entropy. Generate more entropy!"))
 		return 1
 	}