2014-02-08 00:41:03 +00:00
---
layout: "docs"
page_title: "Security Model"
sidebar_current: "docs-internals-security"
2014-10-19 23:40:10 +00:00
description: |-
2015-04-13 22:17:29 +00:00
Consul relies on both a lightweight gossip mechanism and an RPC system to provide various features. Both of the systems have different security mechanisms that stem from their designs. However, the security mechanisms of Consul have a common goal: to provide confidentiality, integrity, and authentication.
2014-02-08 00:41:03 +00:00
---
# Security Model
2014-02-20 20:26:50 +00:00
Consul relies on both a lightweight gossip mechanism and an RPC system
to provide various features. Both of the systems have different security
2015-04-13 22:17:29 +00:00
mechanisms that stem from their designs. However, the security mechanisms
of Consul have a common goal: to provide
2016-01-13 22:44:01 +00:00
[confidentiality, integrity, and authentication ](https://en.wikipedia.org/wiki/Information_security ).
2014-02-08 00:41:03 +00:00
2015-01-04 11:57:48 +00:00
The [gossip protocol ](/docs/internals/gossip.html ) is powered by [Serf ](https://www.serfdom.io/ ),
2014-02-20 20:26:50 +00:00
which uses a symmetric key, or shared secret, cryptosystem. There are more
2015-01-04 11:57:48 +00:00
details on the security of [Serf here ](https://www.serfdom.io/docs/internals/security.html ).
2015-04-13 22:17:29 +00:00
For details on how to enable Serf's gossip encryption in Consul, see the
[encryption doc here ](/docs/agent/encryption.html ).
2014-02-20 20:26:50 +00:00
2015-04-13 22:17:29 +00:00
The RPC system supports using end-to-end TLS with optional client authentication.
2016-01-13 22:44:01 +00:00
[TLS ](https://en.wikipedia.org/wiki/Transport_Layer_Security ) is a widely deployed asymmetric
2015-04-13 22:17:29 +00:00
cryptosystem and is the foundation of security on the Web.
2014-02-20 20:26:50 +00:00
This means Consul communication is protected against eavesdropping, tampering,
2014-11-26 13:05:33 +00:00
and spoofing. This makes it possible to run Consul over untrusted networks such
2014-02-20 20:26:50 +00:00
as EC2 and other shared hosting providers.
2014-02-08 00:41:03 +00:00
2014-10-19 23:40:10 +00:00
~> **Advanced Topic!** This page covers the technical details of
2014-02-20 20:26:50 +00:00
the security model of Consul. You don't need to know these details to
operate and use Consul. These details are documented here for those who wish
2014-02-08 00:41:03 +00:00
to learn about them without having to go spelunking through the source code.
## Threat Model
The following are the various parts of our threat model:
2014-02-20 20:26:50 +00:00
* Non-members getting access to data
2014-02-08 00:41:03 +00:00
* Cluster state manipulation due to malicious messages
2014-02-20 20:26:50 +00:00
* Fake data generation due to malicious messages
* Tampering causing state corruption
2014-02-08 00:41:03 +00:00
* Denial of Service against a node
Additionally, we recognize that an attacker that can observe network
traffic for an extended period of time may infer the cluster members.
2014-02-20 20:26:50 +00:00
The gossip mechanism used by Consul relies on sending messages to random
2014-02-08 00:41:03 +00:00
members, so an attacker can record all destinations and determine all
members of the cluster.
When designing security into a system you design it to fit the threat model.
Our goal is not to protect top secret data but to provide a "reasonable"
level of security that would require an attacker to commit a considerable
amount of resources to defeat.