Update default gossip encryption key size to 32 bytes

This commit is contained in:
freddygv 2019-07-30 09:45:41 -06:00
parent 5bb8d60786
commit 1a14b94441
8 changed files with 38 additions and 39 deletions

View File

@ -407,11 +407,11 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
{
desc: "-encrypt",
args: []string{
`-encrypt=i0P+gFTkLPg0h53eNYjydg==`,
`-encrypt=pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=`,
`-data-dir=` + dataDir,
},
patch: func(rt *RuntimeConfig) {
rt.EncryptKey = "i0P+gFTkLPg0h53eNYjydg=="
rt.EncryptKey = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
rt.DataDir = dataDir
},
},
@ -2104,14 +2104,14 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
args: []string{
`-data-dir=` + dataDir,
},
json: []string{`{ "encrypt": "i0P+gFTkLPg0h53eNYjydg==" }`},
hcl: []string{` encrypt = "i0P+gFTkLPg0h53eNYjydg==" `},
json: []string{`{ "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" }`},
hcl: []string{` encrypt = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" `},
patch: func(rt *RuntimeConfig) {
rt.EncryptKey = "i0P+gFTkLPg0h53eNYjydg=="
rt.EncryptKey = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
rt.DataDir = dataDir
},
pre: func() {
writeFile(filepath.Join(dataDir, SerfLANKeyring), []byte("i0P+gFTkLPg0h53eNYjydg=="))
writeFile(filepath.Join(dataDir, SerfLANKeyring), []byte("pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="))
},
warns: []string{`WARNING: LAN keyring exists but -encrypt given, using keyring`},
},
@ -2120,17 +2120,17 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
args: []string{
`-data-dir=` + dataDir,
},
json: []string{`{ "encrypt": "i0P+gFTkLPg0h53eNYjydg==", "server": true }`},
hcl: []string{` encrypt = "i0P+gFTkLPg0h53eNYjydg==" server = true `},
json: []string{`{ "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=", "server": true }`},
hcl: []string{` encrypt = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" server = true `},
patch: func(rt *RuntimeConfig) {
rt.EncryptKey = "i0P+gFTkLPg0h53eNYjydg=="
rt.EncryptKey = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
rt.ServerMode = true
rt.LeaveOnTerm = false
rt.SkipLeaveOnInt = true
rt.DataDir = dataDir
},
pre: func() {
writeFile(filepath.Join(dataDir, SerfWANKeyring), []byte("i0P+gFTkLPg0h53eNYjydg=="))
writeFile(filepath.Join(dataDir, SerfWANKeyring), []byte("pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="))
},
warns: []string{`WARNING: WAN keyring exists but -encrypt given, using keyring`},
},

View File

@ -32,13 +32,13 @@ func (c *cmd) Run(args []string) int {
return 1
}
key := make([]byte, 16)
key := make([]byte, 32)
n, err := rand.Reader.Read(key)
if err != nil {
c.UI.Error(fmt.Sprintf("Error reading random data: %s", err))
return 1
}
if n != 16 {
if n != 32 {
c.UI.Error(fmt.Sprintf("Couldn't read enough entropy. Generate more entropy!"))
return 1
}
@ -59,7 +59,7 @@ const synopsis = "Generates a new encryption key"
const help = `
Usage: consul keygen
Generates a new encryption key that can be used to configure the
Generates a new 32-byte encryption key that can be used to configure the
agent to encrypt traffic. The output of this command is already
in the proper format that the agent expects.
`

View File

@ -29,8 +29,7 @@ func TestKeygenCommand(t *testing.T) {
if err != nil {
t.Fatalf("err: %s", err)
}
if len(result) != 16 {
if len(result) != 32 {
t.Fatalf("bad: %#v", result)
}
}

View File

@ -58,9 +58,9 @@ $ curl \
"Datacenter": "dc1",
"Segment": "",
"Keys": {
"0eK8RjnsGC/+I1fJErQsBA==": 1,
"G/3/L4yOw3e5T7NTvuRi9g==": 1,
"z90lFx3sZZLtTOkutXcwYg==": 1
"pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=": 1,
"ZWTL+bgjHyQPhJRKcFe3ccirc2SFHmc/Nw67l8NQfdk=": 1,
"WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4=": 1
},
"NumNodes": 1
},
@ -69,9 +69,9 @@ $ curl \
"Datacenter": "dc1",
"Segment": "",
"Keys": {
"0eK8RjnsGC/+I1fJErQsBA==": 1,
"G/3/L4yOw3e5T7NTvuRi9g==": 1,
"z90lFx3sZZLtTOkutXcwYg==": 1
"pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=": 1,
"ZWTL+bgjHyQPhJRKcFe3ccirc2SFHmc/Nw67l8NQfdk=": 1,
"WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4=": 1
},
"NumNodes": 1
}
@ -122,7 +122,7 @@ The table below shows this endpoint's support for
```json
{
"Key": "3lg9DxVfKNzI8O+IQ5Ek+Q=="
"Key": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
}
```
@ -168,7 +168,7 @@ The table below shows this endpoint's support for
```json
{
"Key": "3lg9DxVfKNzI8O+IQ5Ek+Q=="
"Key": "WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4="
}
```
@ -213,7 +213,7 @@ The table below shows this endpoint's support for
```json
{
"Key": "3lg9DxVfKNzI8O+IQ5Ek+Q=="
"Key": "WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4="
}
```

View File

@ -20,13 +20,13 @@ starting the Consul agent. The key can be set via the `encrypt` parameter.
~> **WAN Joined Datacenters Note:** If using multiple WAN joined datacenters, be sure to use _the same encryption key_ in all datacenters.
The key must be 16-bytes, Base64 encoded. As a convenience, Consul provides the
The key must be 32-bytes, Base64 encoded. As a convenience, Consul provides the
[`consul keygen`](/docs/commands/keygen.html) command to generate a
cryptographically suitable key:
```text
$ consul keygen
cg8StVXbQJ0gPvMd9o7yrg==
pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=
```
With that key, you can enable encryption on the agent. If encryption is enabled,
@ -34,7 +34,7 @@ the output of [`consul agent`](/docs/commands/agent.html) will include "Encrypt:
```text
$ cat encrypt.json
{"encrypt": "cg8StVXbQJ0gPvMd9o7yrg=="}
{"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="}
$ consul agent -data-dir=/tmp/consul -config-file=encrypt.json
==> WARNING: LAN keyring exists but -encrypt given, using keyring

View File

@ -242,7 +242,7 @@ will exit with an error at startup.
* <a name="_encrypt"></a><a href="#_encrypt">`-encrypt`</a> - Specifies the secret key to
use for encryption of Consul
network traffic. This key must be 16-bytes that are Base64-encoded. The
network traffic. This key must be 32-bytes that are Base64-encoded. The
easiest way to create an encryption key is to use
[`consul keygen`](/docs/commands/keygen.html). All
nodes within a cluster must share the same encryption key to communicate.

View File

@ -14,13 +14,13 @@ To complete the RPC encryption section, you must have [configured agent certific
## Gossip Encryption
To enable gossip encryption, you need to use an encryption key when starting the Consul agent. The key can be simple set with the `encrypt` parameter in the agent configuration file. Alternatively, the encryption key can be placed in a seperate configuration file with only the `encrypt` field, since the agent can merge multiple configuration files. The key must be 16-bytes, Base64 encoded.
To enable gossip encryption, you need to use an encryption key when starting the Consul agent. The key can be simple set with the `encrypt` parameter in the agent configuration file. Alternatively, the encryption key can be placed in a seperate configuration file with only the `encrypt` field, since the agent can merge multiple configuration files. The key must be 32-bytes, Base64 encoded.
You can use the Consul CLI command, [`consul keygen`](/docs/commands/keygen.html), to generate a cryptographically suitable key.
```sh
$ consul keygen
cg8StVXbQJ0gPvMd9o7yrg==
pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=
```
### Enable Gossip Encryption: New Cluster
@ -34,7 +34,7 @@ agent configuration file and then pass the file at startup with the [`-config-di
"log_level": "INFO",
"node_name": "bulldog",
"server": true,
"encrypt": "JY34uTPZyfUE+6tinMYEVw=="
"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
}
```
@ -64,7 +64,7 @@ Gossip encryption can also be enabled on an existing cluster, but requires sever
```sh
$ consul keygen
JY34uTPZyfUE+6tinMYEVw==
pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=
```
**Step 2**: Set the [`encrypt`](/docs/agent/options.html#_encrypt) key, and set `encrypt_verify_incoming` and `encrypt_verify_outgoing` to `false` in the agent configuration file. Then initiate a rolling update of the cluster with these new values. After this step, the agents will be able to decrypt gossip but will not yet be sending encrypted traffic.
@ -75,7 +75,7 @@ JY34uTPZyfUE+6tinMYEVw==
"log_level": "INFO",
"node_name": "bulldog",
"server": true,
"encrypt": "JY34uTPZyfUE+6tinMYEVw==",
"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
"encrypt_verify_incoming": false,
"encrypt_verify_outgoing": false
}
@ -91,7 +91,7 @@ A rolling update can be made by restarting the Consul agents (clients and server
"log_level": "INFO",
"node_name": "bulldog",
"server": true,
"encrypt": "JY34uTPZyfUE+6tinMYEVw==",
"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
"encrypt_verify_incoming": false,
"encrypt_verify_outgoing": true
}
@ -105,7 +105,7 @@ A rolling update can be made by restarting the Consul agents (clients and server
"log_level": "INFO",
"node_name": "bulldog",
"server": true,
"encrypt": "JY34uTPZyfUE+6tinMYEVw==",
"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
"encrypt_verify_incoming": true,
"encrypt_verify_outgoing": true
}
@ -139,7 +139,7 @@ After TLS has been configured on all the agents, you can start the agents and RP
"log_level": "INFO",
"node_name": "bulldog",
"server": true,
"encrypt": "JY34uTPZyfUE+6tinMYEVw==",
"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
"verify_incoming": true,
"verify_outgoing": true,
"verify_server_hostname": true,
@ -165,7 +165,7 @@ Enabling TLS on an existing cluster is supported. This process assumes a startin
"log_level": "INFO",
"node_name": "bulldog",
"server": true,
"encrypt": "JY34uTPZyfUE+6tinMYEVw==",
"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
"verify_incoming": false,
"verify_outgoing": false,
"ca_file": "consul-agent-ca.pem",
@ -187,7 +187,7 @@ Next, perform a rolling restart of each agent in the cluster. After this step, T
"log_level": "INFO",
"node_name": "bulldog",
"server": true,
"encrypt": "JY34uTPZyfUE+6tinMYEVw==",
"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
"verify_incoming": true,
"verify_outgoing": true,
"verify_server_hostname": true,

View File

@ -151,7 +151,7 @@ Add this configuration to the `consul.hcl` configuration file:
```hcl
datacenter = "dc1"
data_dir = "/opt/consul"
encrypt = "Luj2FZWwlt8475wD1WtwUQ=="
encrypt = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
```
- [`datacenter`](/docs/agent/options.html#_datacenter) - The datacenter in which the agent is running.