mirror of https://github.com/hashicorp/consul
50 lines
1.5 KiB
Markdown
50 lines
1.5 KiB
Markdown
---
|
|
layout: "docs"
|
|
page_title: "Encryption"
|
|
sidebar_current: "docs-agent-encryption"
|
|
---
|
|
|
|
# Encryption
|
|
|
|
The Consul agent supports encrypting all of its network traffic. The exact
|
|
method of this encryption is described on the
|
|
[encryption internals page](/docs/internals/security.html).
|
|
|
|
## Enabling Encryption
|
|
|
|
Enabling encryption only requires that you set an encryption key when
|
|
starting the Consul agent. The key can be set using the `-encrypt` flag
|
|
on `consul agent` or by setting the `encrypt_key` in a configuration file.
|
|
It is advisable to put the key in a configuration file to avoid other users
|
|
from being able to discover it by inspecting running processes.
|
|
The key must be 16-bytes that are base64 encoded. The easiest method to
|
|
obtain a cryptographically suitable key is by using `consul keygen`.
|
|
|
|
```
|
|
$ consul keygen
|
|
cg8StVXbQJ0gPvMd9o7yrg==
|
|
```
|
|
|
|
With that key, you can enable encryption on the agent. You can verify
|
|
encryption is enabled because the output will include "Encrypted: true".
|
|
|
|
```
|
|
$ consul agent -data=/tmp/consul -encrypt=cg8StVXbQJ0gPvMd9o7yrg==
|
|
==> Starting Consul agent...
|
|
==> Starting Consul agent RPC...
|
|
==> Consul agent running!
|
|
Node name: 'Armons-MacBook-Air.local'
|
|
Datacenter: 'dc1'
|
|
Advertise addr: '10.1.10.12'
|
|
RPC addr: '127.0.0.1:8400'
|
|
HTTP addr: '127.0.0.1:8500'
|
|
DNS addr: '127.0.0.1:8600'
|
|
Encrypted: true
|
|
Server: false (bootstrap: false)
|
|
...
|
|
```
|
|
|
|
All nodes within a Consul cluster must share the same encryption key in
|
|
order to send and receive cluster information.
|
|
|