github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Final edits to encryption doc.

Browse Source
pull/664/head
Ryan Breen 10 years ago
parent 02c7ed0e94
commit 3a184a06f7
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File

11
website/source/docs/agent/encryption.html.markdown
Unescape View File

@ -15,10 +15,10 @@ There are two separate encryption systems, one for gossip traffic and one for RP
## Gossip Encryption
Enabling gossip encryption only requires that you set an encryption key when
starting the Consul agent. The key can be set via the `encrypt` parameter: this
starting the Consul agent. The key can be set via the `encrypt` parameter: the
value of this setting is a configuration file containing the encryption key.
The key must be 16-bytes, Base64 encoded. As a convenience, Consul contains the
The key must be 16-bytes, Base64 encoded. As a convenience, Consul provides the
`consul keygen` commmand to generate a cryptographically suitable key:
```text
@ -57,13 +57,14 @@ Consul supports using TLS to verify the authenticity of servers and clients. To
Consul requires that all clients and servers have key pairs that are generated by a single
Certificate Authority. This can be a private CA, used only internally. The
CA then signs keys for each of the agents, as in
[this tutorial on generationg both a CA and signing keys](https://langui.sh/2009/01/18/openssl-self-signed-ca/)
[this tutorial on generating both a CA and signing keys](https://langui.sh/2009/01/18/openssl-self-signed-ca/)
using OpenSSL. Note: client certificates must have
[Extended Key Usage](https://www.openssl.org/docs/apps/x509v3_config.html#extended_key_usage_) enabled
for client and server authentication.
TLS can be used to verify the authenticity of the servers or verify the authenticity of clients. These modes are
controlled by the `verify_outgoing` and `verify_incoming` [options](/docs/agent/options.html), respectively.
TLS can be used to verify the authenticity of the servers or verify the authenticity of clients.
These modes are controlled by the `verify_outgoing` and `verify_incoming` [options](/docs/agent/options.html),
respectively.
If `verify_outgoing` is set, agents verify the authenticity of Consul for outgoing
connections. Server nodes must present a certificate signed by the certificate authority

Write Preview
Loading…
Cancel
Save