mirror of https://github.com/hashicorp/consul
56 lines
4.5 KiB
Markdown
56 lines
4.5 KiB
Markdown
---
|
|
layout: docs
|
|
page_title: Encrypted communication between Consul agents
|
|
description: >-
|
|
Consul supports encrypting all of its network traffic. Remote Procedure Calls (RPCs) between client and server agents can be encrypted with TLS and authenticated with certificates. Gossip communication between all agents can also be encrypted.
|
|
---
|
|
|
|
# Encrypted communication between Consul agents
|
|
|
|
This topic provides an overview of the two distinct encryption systems available in Consul. [Gossip encryption](/consul/docs/security/encryption#gossip-encryption) and [Mutual TLS encryption](/consul/docs/security/encryption#mutual-tls-mtls-encryption) are the foundations of a secure Consul datacenter.
|
|
|
|
The guidelines in the [Consul security model](/consul/docs/security/security-models/core) for operating a secure Consul deployment recommends using both encryption systems.
|
|
|
|
## Gossip Encryption
|
|
|
|
Consul uses a [gossip protocol](/consul/docs/architecture/gossip) to perform the following cluster operations:
|
|
|
|
- Identify datacenter members.
|
|
- Quickly detect failed members and notify the rest of the cluster.
|
|
- Broadcast events and queries that can trigger custom workflows.
|
|
|
|
The gossip protocol, as well as its membership management and message broadcasting features, use the [Serf library](https://github.com/hashicorp/serf/).
|
|
|
|
In a default Consul configuration, the gossip protocol uses [port `8301`](/consul/docs/install/ports#lan-serf) for LAN communications and [port `8302`](/consul/docs/install/ports#lan-serf) for WAN communications between federated datacenters. Enabling gossip encryption on a Consul datacenter is required to secure traffic on these two ports.
|
|
|
|
Gossip encryption is symmetric and based on a single key that is shared across all members of the datacenter. You can configure gossip encryption in Consul using the following parameters:
|
|
|
|
- [`encrypt`](/consul/docs/agent/config/config-files#encrypt).
|
|
- [`encrypt_verify_incoming`](/consul/docs/agent/config/config-files#encrypt_verify_incoming). Only used when upshifting from unencrypted to encrypted gossip on a running cluster.
|
|
- [`encrypt_verify_outgoing`](/consul/docs/agent/config/config-files#encrypt_verify_outgoing). Only used when upshifting from unencrypted to encrypted gossip on a running cluster.
|
|
|
|
To learn more about enabling gossip encryption on your Consul datacenter and rotating gossip keys, refer to [manage gossip encryption](/consul/docs/security/encryption/gossip).
|
|
|
|
## Mutual TLS (mTLS) Encryption
|
|
|
|
Consul uses several communication protocols over different ports that you can secure using mTLS:
|
|
|
|
- A [consensus protocol](/consul/docs/architecture/consensus) provides data consistency between Consul servers. It typically uses [port `8300`](/consul/docs/install/ports#server-rpc).
|
|
- Remote Procedure Calls (RPC) forward requests from client agents to server agents. They use the same port the consensus protocol uses.
|
|
- An HTTP or HTTPS interface permits client communication with the Consul API, CLI, and UI. It typically uses [port `8500`](/consul/docs/install/ports#http) and [port `8501`](/consul/docs/install/ports#https).
|
|
- A gRPC interface receives incoming traffic from the gateways and Envoy proxies registered to the agent node. It typically uses [port `8502`](/consul/docs/install/ports#client-grpc) and [port `8503`](/consul/docs/install/ports#client-grpc-tls).
|
|
|
|
Consul uses mTLS to verify the authenticity of server and client agents. It requires that all clients and servers have key pairs that are generated by a single Certification Authority (CA). We recommend using a private CA that is not shared with other applications.
|
|
|
|
You can configure mTLS in Consul using the [`tls` stanza in agent configuration files](/consul/docs/agent/config/config-files#tls-1).
|
|
|
|
You can configure mTLS encryption for each protocol separately using the following parameters in the agent configuration file:
|
|
|
|
- [`tls.defaults`](/consul/docs/agent/config/config-files#tls_defaults) provides default settings that Consul applies to every interface unless explicitly overridden by protocol-specific configurations.
|
|
- [`tls.internal_rpc`](/consul/docs/agent/config/config-files#tls_internal_rpc) provides settings for the internal server RPC interface.
|
|
- [`tls.https`](/consul/docs/agent/config/config-files#tls_https) provides settings for the HTTP/HTTPS interface.
|
|
- [`tls.grpc`](/consul/docs/agent/config/config-files#tls_grpc) provides settings for the gRPC/xDS interface.
|
|
|
|
To learn more about enabling mTLS on your Consul datacenter, refer to [Manage mTLS encryption](/consul/docs/security/encryption/mTLS).
|
|
|