Hashicorp Consul Refresher - Gossip TLS Encryption
Consul Agent Communication
The communication between servers in your Consul cluster is not encrypted by default. But Consul supports TLS encryption which can be configured in the server configuration file /etc/consul.d/consul.hcl
.
TLS Encryption Settings
The following parameter have to be defined in all Consul Agent configuration files to enable encryption:
verify_server_hostname
: trueverify_incoming
: trueverify_outgoing
: true
When verify_server_hostname
is enabled you need certificates that are valid for your clients SAN (subject alternative-name) that is [servername].[datacenter].[domain]
. If you use Consul to create your certs (see below) this will be done automatically.
Certificate Authority
Consul can be used as it's own CA and certificates can be generated through the Consul CLI:
- Server:
consul tls cert create -server
- Client:
consul tls cert create -client
- CLI:
consul tls cert create -cli
The Consul CA is automatically chosen if Connect is enabled without providing an external CA and client certificates are automatically distributed:
sudo nano /etc/consul.d/consul.hcl
Add the following lines to the end of the file and service consul restart
:
connect {
enabled = true
}
Required Certificates
- The Consul HTTP API and RPC communication (TLS Certificates)
- Service Mesh (mTLS Certificates)
TLS Upgrade for an existing Consul Cluster
Add the Encryption Key
- Generate Encryption Keys
consul keygen
+bLh5g5Q8N1RL2QQaY9U9z6I5Qi1WWDw6G3KMgeaTKg=
- Add Keys to Keyring
consul keyring -install="+bLh5g5Q8N1RL2QQaY9U9z6I5Qi1WWDw6G3KMgeaTKg="
==> Installing new gossip encryption key...
Configure all Consul Agents
nano /etc/consul.d/consul.hcl
encrypt = "+bLh5g5Q8N1RL2QQaY9U9z6I5Qi1WWDw6G3KMgeaTKg="
encrypt_verify_incoming = false
encrypt_verify_outgoing = false
Restart all Consul Agents
service consul restart
Enable Encryption on all Agents
encrypt = "+bLh5g5Q8N1RL2QQaY9U9z6I5Qi1WWDw6G3KMgeaTKg="
encrypt_verify_incoming = false
encrypt_verify_outgoing = true
service consul restart
encrypt = "+bLh5g5Q8N1RL2QQaY9U9z6I5Qi1WWDw6G3KMgeaTKg="
encrypt_verify_incoming = true
encrypt_verify_outgoing = true
service consul restart
We can verify that encryption is enabled with by checking the journal for Encrypt: Gossip: true
:
journalctl -u consul | grep Gossip
Sep 08 13:57:46 consul-master consul[42418]: Encrypt: Gossip: false, TLS-Outgoing: false, TLS-Incoming: false, Auto-Encrypt-TLS: false
Sep 08 14:10:02 consul-master consul[44340]: Encrypt: Gossip: true, TLS-Outgoing: false, TLS-Incoming: false, Auto-Encrypt-TLS: false
Key Management with Keyring
Distribute new Keys
This command distributes the key you created with consul keygen
around the Consul cluster:
consul keyring -install="+bLh5g5Q8N1RL2QQaY9U9z6I5Qi1WWDw6G3KMgeaTKg="
==> Installing new gossip encryption key...
List Keys
Check the currently available keys:
consul keyring -list
==> Gathering installed encryption keys...
WAN:
+bLh5g5Q8N1RL2QQaY9U9z6I5Qi1WWDw6G3KMgeaTKg= [1/1]
instaryun (LAN):
+bLh5g5Q8N1RL2QQaY9U9z6I5Qi1WWDw6G3KMgeaTKg= [2/2]
Update your Cluster to a new Key
consul keyring -use="+bLh5g5Q8N1RL2QQaY9U9z6I5Qi1WWDw6G3KMgeaTKg="
==> Changing primary gossip encryption key...
Remove old Keys
consul keyring -remove="myoldkey"
==> Removing gossip encryption key...