diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go
index 82905da7db..681995f8c1 100644
--- a/agent/config/runtime_test.go
+++ b/agent/config/runtime_test.go
@@ -407,11 +407,11 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
{
desc: "-encrypt",
args: []string{
- `-encrypt=i0P+gFTkLPg0h53eNYjydg==`,
+ `-encrypt=pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=`,
`-data-dir=` + dataDir,
},
patch: func(rt *RuntimeConfig) {
- rt.EncryptKey = "i0P+gFTkLPg0h53eNYjydg=="
+ rt.EncryptKey = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
rt.DataDir = dataDir
},
},
@@ -2104,14 +2104,14 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
args: []string{
`-data-dir=` + dataDir,
},
- json: []string{`{ "encrypt": "i0P+gFTkLPg0h53eNYjydg==" }`},
- hcl: []string{` encrypt = "i0P+gFTkLPg0h53eNYjydg==" `},
+ json: []string{`{ "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" }`},
+ hcl: []string{` encrypt = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" `},
patch: func(rt *RuntimeConfig) {
- rt.EncryptKey = "i0P+gFTkLPg0h53eNYjydg=="
+ rt.EncryptKey = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
rt.DataDir = dataDir
},
pre: func() {
- writeFile(filepath.Join(dataDir, SerfLANKeyring), []byte("i0P+gFTkLPg0h53eNYjydg=="))
+ writeFile(filepath.Join(dataDir, SerfLANKeyring), []byte("pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="))
},
warns: []string{`WARNING: LAN keyring exists but -encrypt given, using keyring`},
},
@@ -2120,17 +2120,17 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
args: []string{
`-data-dir=` + dataDir,
},
- json: []string{`{ "encrypt": "i0P+gFTkLPg0h53eNYjydg==", "server": true }`},
- hcl: []string{` encrypt = "i0P+gFTkLPg0h53eNYjydg==" server = true `},
+ json: []string{`{ "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=", "server": true }`},
+ hcl: []string{` encrypt = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" server = true `},
patch: func(rt *RuntimeConfig) {
- rt.EncryptKey = "i0P+gFTkLPg0h53eNYjydg=="
+ rt.EncryptKey = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
rt.ServerMode = true
rt.LeaveOnTerm = false
rt.SkipLeaveOnInt = true
rt.DataDir = dataDir
},
pre: func() {
- writeFile(filepath.Join(dataDir, SerfWANKeyring), []byte("i0P+gFTkLPg0h53eNYjydg=="))
+ writeFile(filepath.Join(dataDir, SerfWANKeyring), []byte("pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="))
},
warns: []string{`WARNING: WAN keyring exists but -encrypt given, using keyring`},
},
diff --git a/command/keygen/keygen.go b/command/keygen/keygen.go
index 0b95907736..b232dd62bd 100644
--- a/command/keygen/keygen.go
+++ b/command/keygen/keygen.go
@@ -32,13 +32,13 @@ func (c *cmd) Run(args []string) int {
return 1
}
- key := make([]byte, 16)
+ key := make([]byte, 32)
n, err := rand.Reader.Read(key)
if err != nil {
c.UI.Error(fmt.Sprintf("Error reading random data: %s", err))
return 1
}
- if n != 16 {
+ if n != 32 {
c.UI.Error(fmt.Sprintf("Couldn't read enough entropy. Generate more entropy!"))
return 1
}
@@ -59,7 +59,7 @@ const synopsis = "Generates a new encryption key"
const help = `
Usage: consul keygen
- Generates a new encryption key that can be used to configure the
+ Generates a new 32-byte encryption key that can be used to configure the
agent to encrypt traffic. The output of this command is already
in the proper format that the agent expects.
`
diff --git a/command/keygen/keygen_test.go b/command/keygen/keygen_test.go
index fe94906e65..288334496e 100644
--- a/command/keygen/keygen_test.go
+++ b/command/keygen/keygen_test.go
@@ -29,8 +29,7 @@ func TestKeygenCommand(t *testing.T) {
if err != nil {
t.Fatalf("err: %s", err)
}
-
- if len(result) != 16 {
+ if len(result) != 32 {
t.Fatalf("bad: %#v", result)
}
}
diff --git a/website/source/api/operator/keyring.html.md b/website/source/api/operator/keyring.html.md
index 26401744b0..b5e71f01ee 100644
--- a/website/source/api/operator/keyring.html.md
+++ b/website/source/api/operator/keyring.html.md
@@ -58,9 +58,9 @@ $ curl \
"Datacenter": "dc1",
"Segment": "",
"Keys": {
- "0eK8RjnsGC/+I1fJErQsBA==": 1,
- "G/3/L4yOw3e5T7NTvuRi9g==": 1,
- "z90lFx3sZZLtTOkutXcwYg==": 1
+ "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=": 1,
+ "ZWTL+bgjHyQPhJRKcFe3ccirc2SFHmc/Nw67l8NQfdk=": 1,
+ "WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4=": 1
},
"NumNodes": 1
},
@@ -69,9 +69,9 @@ $ curl \
"Datacenter": "dc1",
"Segment": "",
"Keys": {
- "0eK8RjnsGC/+I1fJErQsBA==": 1,
- "G/3/L4yOw3e5T7NTvuRi9g==": 1,
- "z90lFx3sZZLtTOkutXcwYg==": 1
+ "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=": 1,
+ "ZWTL+bgjHyQPhJRKcFe3ccirc2SFHmc/Nw67l8NQfdk=": 1,
+ "WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4=": 1
},
"NumNodes": 1
}
@@ -122,7 +122,7 @@ The table below shows this endpoint's support for
```json
{
- "Key": "3lg9DxVfKNzI8O+IQ5Ek+Q=="
+ "Key": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
}
```
@@ -168,7 +168,7 @@ The table below shows this endpoint's support for
```json
{
- "Key": "3lg9DxVfKNzI8O+IQ5Ek+Q=="
+ "Key": "WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4="
}
```
@@ -213,7 +213,7 @@ The table below shows this endpoint's support for
```json
{
- "Key": "3lg9DxVfKNzI8O+IQ5Ek+Q=="
+ "Key": "WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4="
}
```
diff --git a/website/source/docs/agent/encryption.html.md b/website/source/docs/agent/encryption.html.md
index 3ddb801b66..fbc35d7b3b 100644
--- a/website/source/docs/agent/encryption.html.md
+++ b/website/source/docs/agent/encryption.html.md
@@ -20,13 +20,13 @@ starting the Consul agent. The key can be set via the `encrypt` parameter.
~> **WAN Joined Datacenters Note:** If using multiple WAN joined datacenters, be sure to use _the same encryption key_ in all datacenters.
-The key must be 16-bytes, Base64 encoded. As a convenience, Consul provides the
+The key must be 32-bytes, Base64 encoded. As a convenience, Consul provides the
[`consul keygen`](/docs/commands/keygen.html) command to generate a
cryptographically suitable key:
```text
$ consul keygen
-cg8StVXbQJ0gPvMd9o7yrg==
+pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=
```
With that key, you can enable encryption on the agent. If encryption is enabled,
@@ -34,7 +34,7 @@ the output of [`consul agent`](/docs/commands/agent.html) will include "Encrypt:
```text
$ cat encrypt.json
-{"encrypt": "cg8StVXbQJ0gPvMd9o7yrg=="}
+{"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="}
$ consul agent -data-dir=/tmp/consul -config-file=encrypt.json
==> WARNING: LAN keyring exists but -encrypt given, using keyring
diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md
index 4ba9508178..426cd49dae 100644
--- a/website/source/docs/agent/options.html.md
+++ b/website/source/docs/agent/options.html.md
@@ -242,7 +242,7 @@ will exit with an error at startup.
* `-encrypt` - Specifies the secret key to
use for encryption of Consul
- network traffic. This key must be 16-bytes that are Base64-encoded. The
+ network traffic. This key must be 32-bytes that are Base64-encoded. The
easiest way to create an encryption key is to use
[`consul keygen`](/docs/commands/keygen.html). All
nodes within a cluster must share the same encryption key to communicate.
diff --git a/website/source/docs/guides/agent-encryption.html.md b/website/source/docs/guides/agent-encryption.html.md
index a400a761d3..50cb36f596 100644
--- a/website/source/docs/guides/agent-encryption.html.md
+++ b/website/source/docs/guides/agent-encryption.html.md
@@ -14,13 +14,13 @@ To complete the RPC encryption section, you must have [configured agent certific
## Gossip Encryption
-To enable gossip encryption, you need to use an encryption key when starting the Consul agent. The key can be simple set with the `encrypt` parameter in the agent configuration file. Alternatively, the encryption key can be placed in a seperate configuration file with only the `encrypt` field, since the agent can merge multiple configuration files. The key must be 16-bytes, Base64 encoded.
+To enable gossip encryption, you need to use an encryption key when starting the Consul agent. The key can be simple set with the `encrypt` parameter in the agent configuration file. Alternatively, the encryption key can be placed in a seperate configuration file with only the `encrypt` field, since the agent can merge multiple configuration files. The key must be 32-bytes, Base64 encoded.
You can use the Consul CLI command, [`consul keygen`](/docs/commands/keygen.html), to generate a cryptographically suitable key.
```sh
$ consul keygen
-cg8StVXbQJ0gPvMd9o7yrg==
+pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=
```
### Enable Gossip Encryption: New Cluster
@@ -34,7 +34,7 @@ agent configuration file and then pass the file at startup with the [`-config-di
"log_level": "INFO",
"node_name": "bulldog",
"server": true,
- "encrypt": "JY34uTPZyfUE+6tinMYEVw=="
+ "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
}
```
@@ -64,7 +64,7 @@ Gossip encryption can also be enabled on an existing cluster, but requires sever
```sh
$ consul keygen
-JY34uTPZyfUE+6tinMYEVw==
+pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=
```
**Step 2**: Set the [`encrypt`](/docs/agent/options.html#_encrypt) key, and set `encrypt_verify_incoming` and `encrypt_verify_outgoing` to `false` in the agent configuration file. Then initiate a rolling update of the cluster with these new values. After this step, the agents will be able to decrypt gossip but will not yet be sending encrypted traffic.
@@ -75,7 +75,7 @@ JY34uTPZyfUE+6tinMYEVw==
"log_level": "INFO",
"node_name": "bulldog",
"server": true,
- "encrypt": "JY34uTPZyfUE+6tinMYEVw==",
+ "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
"encrypt_verify_incoming": false,
"encrypt_verify_outgoing": false
}
@@ -91,7 +91,7 @@ A rolling update can be made by restarting the Consul agents (clients and server
"log_level": "INFO",
"node_name": "bulldog",
"server": true,
- "encrypt": "JY34uTPZyfUE+6tinMYEVw==",
+ "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
"encrypt_verify_incoming": false,
"encrypt_verify_outgoing": true
}
@@ -105,7 +105,7 @@ A rolling update can be made by restarting the Consul agents (clients and server
"log_level": "INFO",
"node_name": "bulldog",
"server": true,
- "encrypt": "JY34uTPZyfUE+6tinMYEVw==",
+ "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
"encrypt_verify_incoming": true,
"encrypt_verify_outgoing": true
}
@@ -139,7 +139,7 @@ After TLS has been configured on all the agents, you can start the agents and RP
"log_level": "INFO",
"node_name": "bulldog",
"server": true,
- "encrypt": "JY34uTPZyfUE+6tinMYEVw==",
+ "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
"verify_incoming": true,
"verify_outgoing": true,
"verify_server_hostname": true,
@@ -165,7 +165,7 @@ Enabling TLS on an existing cluster is supported. This process assumes a startin
"log_level": "INFO",
"node_name": "bulldog",
"server": true,
- "encrypt": "JY34uTPZyfUE+6tinMYEVw==",
+ "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
"verify_incoming": false,
"verify_outgoing": false,
"ca_file": "consul-agent-ca.pem",
@@ -187,7 +187,7 @@ Next, perform a rolling restart of each agent in the cluster. After this step, T
"log_level": "INFO",
"node_name": "bulldog",
"server": true,
- "encrypt": "JY34uTPZyfUE+6tinMYEVw==",
+ "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=",
"verify_incoming": true,
"verify_outgoing": true,
"verify_server_hostname": true,
diff --git a/website/source/docs/guides/deployment-guide.html.md b/website/source/docs/guides/deployment-guide.html.md
index c76b726667..411cab9563 100644
--- a/website/source/docs/guides/deployment-guide.html.md
+++ b/website/source/docs/guides/deployment-guide.html.md
@@ -151,7 +151,7 @@ Add this configuration to the `consul.hcl` configuration file:
```hcl
datacenter = "dc1"
data_dir = "/opt/consul"
-encrypt = "Luj2FZWwlt8475wD1WtwUQ=="
+encrypt = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="
```
- [`datacenter`](/docs/agent/options.html#_datacenter) - The datacenter in which the agent is running.