2014-09-11 11:19:48 -07:00
|
|
|
---
|
2020-04-07 14:55:19 -04:00
|
|
|
layout: docs
|
|
|
|
page_title: 'Commands: Keyring'
|
2020-04-13 14:40:26 -04:00
|
|
|
sidebar_title: keyring
|
2014-09-11 11:19:48 -07:00
|
|
|
---
|
|
|
|
|
2014-09-12 20:08:54 -07:00
|
|
|
# Consul Keyring
|
2014-09-11 11:19:48 -07:00
|
|
|
|
2014-09-12 20:08:54 -07:00
|
|
|
Command: `consul keyring`
|
2014-09-11 11:19:48 -07:00
|
|
|
|
2014-09-12 20:08:54 -07:00
|
|
|
The `keyring` command is used to examine and modify the encryption keys used in
|
2020-04-09 19:46:54 -04:00
|
|
|
Consul's [Gossip Pools](/docs/internals/gossip). It is capable of
|
2014-09-18 18:57:18 -07:00
|
|
|
distributing new encryption keys to the cluster, retiring old encryption keys,
|
|
|
|
and changing the keys used by the cluster to encrypt messages.
|
2014-09-11 11:19:48 -07:00
|
|
|
|
|
|
|
Consul allows multiple encryption keys to be in use simultaneously. This is
|
|
|
|
intended to provide a transition state while the cluster converges. It is the
|
|
|
|
responsibility of the operator to ensure that only the required encryption keys
|
2014-09-30 17:31:16 -07:00
|
|
|
are installed on the cluster. You can review the installed keys using the
|
|
|
|
`-list` argument, and remove unneeded keys with `-remove`.
|
2014-09-11 11:19:48 -07:00
|
|
|
|
2014-10-02 22:05:00 -07:00
|
|
|
All operations performed by this command can only be run against server nodes,
|
2019-08-12 11:11:11 -07:00
|
|
|
and affect both the LAN and WAN keyrings in lock-step. The only exception to this
|
2020-04-07 14:55:19 -04:00
|
|
|
is for the `-list` operation, you may set the `-local-only` flag to only query
|
|
|
|
against local server nodes.
|
2014-09-30 15:31:07 -07:00
|
|
|
|
2014-10-02 22:05:00 -07:00
|
|
|
All variations of the `keyring` command return 0 if all nodes reply and there
|
|
|
|
are no errors. If any node fails to reply or reports failure, the exit code
|
|
|
|
will be 1.
|
2014-09-11 11:19:48 -07:00
|
|
|
|
|
|
|
## Usage
|
|
|
|
|
2014-09-12 20:08:54 -07:00
|
|
|
Usage: `consul keyring [options]`
|
2014-09-11 11:19:48 -07:00
|
|
|
|
2014-10-02 22:05:00 -07:00
|
|
|
Only one actionable argument may be specified per run, including `-list`,
|
|
|
|
`-install`, `-remove`, and `-use`.
|
2014-09-11 11:19:48 -07:00
|
|
|
|
2017-02-08 18:25:47 -05:00
|
|
|
#### API Options
|
|
|
|
|
2020-04-07 14:55:19 -04:00
|
|
|
@include 'http_api_options_client.mdx'
|
2017-02-08 18:25:47 -05:00
|
|
|
|
|
|
|
#### Command Options
|
2014-09-11 11:19:48 -07:00
|
|
|
|
2020-04-07 14:55:19 -04:00
|
|
|
- `-list` - List all keys currently in use within the cluster.
|
2014-09-18 18:57:18 -07:00
|
|
|
|
2020-04-07 14:55:19 -04:00
|
|
|
- `-install` - Install a new encryption key. This will broadcast the new key to
|
2014-09-11 11:19:48 -07:00
|
|
|
all members in the cluster.
|
|
|
|
|
2020-04-07 14:55:19 -04:00
|
|
|
- `-use` - Change the primary encryption key, which is used to encrypt messages.
|
2014-09-11 11:19:48 -07:00
|
|
|
The key must already be installed before this operation can succeed.
|
|
|
|
|
2020-04-07 14:55:19 -04:00
|
|
|
- `-remove` - Remove the given key from the cluster. This operation may only be
|
2014-09-11 11:19:48 -07:00
|
|
|
performed on keys which are not currently the primary key.
|
|
|
|
|
2020-04-07 14:55:19 -04:00
|
|
|
- `-relay-factor` - Added in Consul 0.7.4, setting this to a non-zero value will
|
2017-02-01 21:42:41 -05:00
|
|
|
cause nodes to relay their response to the operation through this many
|
|
|
|
randomly-chosen other nodes in the cluster. The maximum allowed value is 5.
|
|
|
|
|
2020-04-07 14:55:19 -04:00
|
|
|
- `-local-only` - Setting this to true will force a keyring list query to only hit
|
2019-08-12 11:11:11 -07:00
|
|
|
local servers (no WAN traffic). Setting `local-only` is only allowed for list
|
|
|
|
queries.
|
|
|
|
|
2014-09-30 17:31:16 -07:00
|
|
|
## Output
|
|
|
|
|
|
|
|
The output of the `consul keyring -list` command consolidates information from
|
|
|
|
all nodes and all datacenters to provide a simple and easy to understand view of
|
|
|
|
the cluster. The following is some example output from a cluster with two
|
|
|
|
datacenters, each which consist of one server and one client:
|
|
|
|
|
2020-04-07 19:56:08 -04:00
|
|
|
```text
|
2014-09-30 17:31:16 -07:00
|
|
|
==> Gathering installed encryption keys...
|
|
|
|
==> Done!
|
|
|
|
|
|
|
|
WAN:
|
|
|
|
a1i101sMY8rxB+0eAKD/gw== [2/2]
|
|
|
|
|
|
|
|
dc2 (LAN):
|
|
|
|
a1i101sMY8rxB+0eAKD/gw== [2/2]
|
|
|
|
|
|
|
|
dc1 (LAN):
|
|
|
|
a1i101sMY8rxB+0eAKD/gw== [2/2]
|
2017-09-07 12:17:39 -07:00
|
|
|
|
|
|
|
dc1 (LAN) [alpha]:
|
|
|
|
a1i101sMY8rxB+0eAKD/gw== [2/2]
|
2014-09-30 17:31:16 -07:00
|
|
|
```
|
|
|
|
|
2017-09-07 12:17:39 -07:00
|
|
|
As you can see, the output above is divided first by gossip pool, including any network
|
|
|
|
segments, and then by encryption key. The indicator to the right of each key displays
|
|
|
|
the number of nodes the key is installed on over the total number of nodes in the pool.
|
2014-09-30 17:31:16 -07:00
|
|
|
|
|
|
|
## Errors
|
|
|
|
|
|
|
|
If any errors are encountered while performing a keyring operation, no key
|
|
|
|
information is displayed, but instead only error information. The error
|
|
|
|
information is arranged in a similar fashion, organized first by datacenter,
|
|
|
|
followed by a simple list of nodes which had errors, and the actual text of the
|
|
|
|
error. Below is sample output from the same cluster as above, if we try to do
|
|
|
|
something that causes an error; in this case, trying to remove the primary key:
|
|
|
|
|
2020-04-07 19:56:08 -04:00
|
|
|
```text
|
2014-09-30 17:31:16 -07:00
|
|
|
==> Removing gossip encryption key...
|
|
|
|
|
|
|
|
dc1 (LAN) error: 2/2 nodes reported failure
|
|
|
|
server1: Removing the primary key is not allowed
|
|
|
|
client1: Removing the primary key is not allowed
|
|
|
|
|
|
|
|
WAN error: 2/2 nodes reported failure
|
|
|
|
server1.dc1: Removing the primary key is not allowed
|
|
|
|
server2.dc2: Removing the primary key is not allowed
|
|
|
|
|
|
|
|
dc2 (LAN) error: 2/2 nodes reported failure
|
|
|
|
server2: Removing the primary key is not allowed
|
|
|
|
client2: Removing the primary key is not allowed
|
|
|
|
```
|
|
|
|
|
|
|
|
As you can see, each node with a failure reported what went wrong.
|