From 1a14b94441dbd715fcb83d78c99fe87de9ad01ea Mon Sep 17 00:00:00 2001 From: freddygv Date: Tue, 30 Jul 2019 09:45:41 -0600 Subject: [PATCH] Update default gossip encryption key size to 32 bytes --- agent/config/runtime_test.go | 20 +++++++++---------- command/keygen/keygen.go | 6 +++--- command/keygen/keygen_test.go | 3 +-- website/source/api/operator/keyring.html.md | 18 ++++++++--------- website/source/docs/agent/encryption.html.md | 6 +++--- website/source/docs/agent/options.html.md | 2 +- .../docs/guides/agent-encryption.html.md | 20 +++++++++---------- .../docs/guides/deployment-guide.html.md | 2 +- 8 files changed, 38 insertions(+), 39 deletions(-) diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index 82905da7db..681995f8c1 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -407,11 +407,11 @@ func TestConfigFlagsAndEdgecases(t *testing.T) { { desc: "-encrypt", args: []string{ - `-encrypt=i0P+gFTkLPg0h53eNYjydg==`, + `-encrypt=pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=`, `-data-dir=` + dataDir, }, patch: func(rt *RuntimeConfig) { - rt.EncryptKey = "i0P+gFTkLPg0h53eNYjydg==" + rt.EncryptKey = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" rt.DataDir = dataDir }, }, @@ -2104,14 +2104,14 @@ func TestConfigFlagsAndEdgecases(t *testing.T) { args: []string{ `-data-dir=` + dataDir, }, - json: []string{`{ "encrypt": "i0P+gFTkLPg0h53eNYjydg==" }`}, - hcl: []string{` encrypt = "i0P+gFTkLPg0h53eNYjydg==" `}, + json: []string{`{ "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" }`}, + hcl: []string{` encrypt = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" `}, patch: func(rt *RuntimeConfig) { - rt.EncryptKey = "i0P+gFTkLPg0h53eNYjydg==" + rt.EncryptKey = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" rt.DataDir = dataDir }, pre: func() { - writeFile(filepath.Join(dataDir, SerfLANKeyring), []byte("i0P+gFTkLPg0h53eNYjydg==")) + writeFile(filepath.Join(dataDir, SerfLANKeyring), []byte("pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=")) }, warns: []string{`WARNING: LAN keyring exists but -encrypt given, using keyring`}, }, @@ -2120,17 +2120,17 @@ func TestConfigFlagsAndEdgecases(t *testing.T) { args: []string{ `-data-dir=` + dataDir, }, - json: []string{`{ "encrypt": "i0P+gFTkLPg0h53eNYjydg==", "server": true }`}, - hcl: []string{` encrypt = "i0P+gFTkLPg0h53eNYjydg==" server = true `}, + json: []string{`{ "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=", "server": true }`}, + hcl: []string{` encrypt = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" server = true `}, patch: func(rt *RuntimeConfig) { - rt.EncryptKey = "i0P+gFTkLPg0h53eNYjydg==" + rt.EncryptKey = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" rt.ServerMode = true rt.LeaveOnTerm = false rt.SkipLeaveOnInt = true rt.DataDir = dataDir }, pre: func() { - writeFile(filepath.Join(dataDir, SerfWANKeyring), []byte("i0P+gFTkLPg0h53eNYjydg==")) + writeFile(filepath.Join(dataDir, SerfWANKeyring), []byte("pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=")) }, warns: []string{`WARNING: WAN keyring exists but -encrypt given, using keyring`}, }, diff --git a/command/keygen/keygen.go b/command/keygen/keygen.go index 0b95907736..b232dd62bd 100644 --- a/command/keygen/keygen.go +++ b/command/keygen/keygen.go @@ -32,13 +32,13 @@ func (c *cmd) Run(args []string) int { return 1 } - key := make([]byte, 16) + key := make([]byte, 32) n, err := rand.Reader.Read(key) if err != nil { c.UI.Error(fmt.Sprintf("Error reading random data: %s", err)) return 1 } - if n != 16 { + if n != 32 { c.UI.Error(fmt.Sprintf("Couldn't read enough entropy. Generate more entropy!")) return 1 } @@ -59,7 +59,7 @@ const synopsis = "Generates a new encryption key" const help = ` Usage: consul keygen - Generates a new encryption key that can be used to configure the + Generates a new 32-byte encryption key that can be used to configure the agent to encrypt traffic. The output of this command is already in the proper format that the agent expects. ` diff --git a/command/keygen/keygen_test.go b/command/keygen/keygen_test.go index fe94906e65..288334496e 100644 --- a/command/keygen/keygen_test.go +++ b/command/keygen/keygen_test.go @@ -29,8 +29,7 @@ func TestKeygenCommand(t *testing.T) { if err != nil { t.Fatalf("err: %s", err) } - - if len(result) != 16 { + if len(result) != 32 { t.Fatalf("bad: %#v", result) } } diff --git a/website/source/api/operator/keyring.html.md b/website/source/api/operator/keyring.html.md index 26401744b0..b5e71f01ee 100644 --- a/website/source/api/operator/keyring.html.md +++ b/website/source/api/operator/keyring.html.md @@ -58,9 +58,9 @@ $ curl \ "Datacenter": "dc1", "Segment": "", "Keys": { - "0eK8RjnsGC/+I1fJErQsBA==": 1, - "G/3/L4yOw3e5T7NTvuRi9g==": 1, - "z90lFx3sZZLtTOkutXcwYg==": 1 + "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=": 1, + "ZWTL+bgjHyQPhJRKcFe3ccirc2SFHmc/Nw67l8NQfdk=": 1, + "WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4=": 1 }, "NumNodes": 1 }, @@ -69,9 +69,9 @@ $ curl \ "Datacenter": "dc1", "Segment": "", "Keys": { - "0eK8RjnsGC/+I1fJErQsBA==": 1, - "G/3/L4yOw3e5T7NTvuRi9g==": 1, - "z90lFx3sZZLtTOkutXcwYg==": 1 + "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=": 1, + "ZWTL+bgjHyQPhJRKcFe3ccirc2SFHmc/Nw67l8NQfdk=": 1, + "WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4=": 1 }, "NumNodes": 1 } @@ -122,7 +122,7 @@ The table below shows this endpoint's support for ```json { - "Key": "3lg9DxVfKNzI8O+IQ5Ek+Q==" + "Key": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" } ``` @@ -168,7 +168,7 @@ The table below shows this endpoint's support for ```json { - "Key": "3lg9DxVfKNzI8O+IQ5Ek+Q==" + "Key": "WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4=" } ``` @@ -213,7 +213,7 @@ The table below shows this endpoint's support for ```json { - "Key": "3lg9DxVfKNzI8O+IQ5Ek+Q==" + "Key": "WbL6oaTPom+7RG7Q/INbJWKy09OLar/Hf2SuOAdoQE4=" } ``` diff --git a/website/source/docs/agent/encryption.html.md b/website/source/docs/agent/encryption.html.md index 3ddb801b66..fbc35d7b3b 100644 --- a/website/source/docs/agent/encryption.html.md +++ b/website/source/docs/agent/encryption.html.md @@ -20,13 +20,13 @@ starting the Consul agent. The key can be set via the `encrypt` parameter. ~> **WAN Joined Datacenters Note:** If using multiple WAN joined datacenters, be sure to use _the same encryption key_ in all datacenters. -The key must be 16-bytes, Base64 encoded. As a convenience, Consul provides the +The key must be 32-bytes, Base64 encoded. As a convenience, Consul provides the [`consul keygen`](/docs/commands/keygen.html) command to generate a cryptographically suitable key: ```text $ consul keygen -cg8StVXbQJ0gPvMd9o7yrg== +pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s= ``` With that key, you can enable encryption on the agent. If encryption is enabled, @@ -34,7 +34,7 @@ the output of [`consul agent`](/docs/commands/agent.html) will include "Encrypt: ```text $ cat encrypt.json -{"encrypt": "cg8StVXbQJ0gPvMd9o7yrg=="} +{"encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s="} $ consul agent -data-dir=/tmp/consul -config-file=encrypt.json ==> WARNING: LAN keyring exists but -encrypt given, using keyring diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md index 4ba9508178..426cd49dae 100644 --- a/website/source/docs/agent/options.html.md +++ b/website/source/docs/agent/options.html.md @@ -242,7 +242,7 @@ will exit with an error at startup. * `-encrypt` - Specifies the secret key to use for encryption of Consul - network traffic. This key must be 16-bytes that are Base64-encoded. The + network traffic. This key must be 32-bytes that are Base64-encoded. The easiest way to create an encryption key is to use [`consul keygen`](/docs/commands/keygen.html). All nodes within a cluster must share the same encryption key to communicate. diff --git a/website/source/docs/guides/agent-encryption.html.md b/website/source/docs/guides/agent-encryption.html.md index a400a761d3..50cb36f596 100644 --- a/website/source/docs/guides/agent-encryption.html.md +++ b/website/source/docs/guides/agent-encryption.html.md @@ -14,13 +14,13 @@ To complete the RPC encryption section, you must have [configured agent certific ## Gossip Encryption -To enable gossip encryption, you need to use an encryption key when starting the Consul agent. The key can be simple set with the `encrypt` parameter in the agent configuration file. Alternatively, the encryption key can be placed in a seperate configuration file with only the `encrypt` field, since the agent can merge multiple configuration files. The key must be 16-bytes, Base64 encoded. +To enable gossip encryption, you need to use an encryption key when starting the Consul agent. The key can be simple set with the `encrypt` parameter in the agent configuration file. Alternatively, the encryption key can be placed in a seperate configuration file with only the `encrypt` field, since the agent can merge multiple configuration files. The key must be 32-bytes, Base64 encoded. You can use the Consul CLI command, [`consul keygen`](/docs/commands/keygen.html), to generate a cryptographically suitable key. ```sh $ consul keygen -cg8StVXbQJ0gPvMd9o7yrg== +pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s= ``` ### Enable Gossip Encryption: New Cluster @@ -34,7 +34,7 @@ agent configuration file and then pass the file at startup with the [`-config-di "log_level": "INFO", "node_name": "bulldog", "server": true, - "encrypt": "JY34uTPZyfUE+6tinMYEVw==" + "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" } ``` @@ -64,7 +64,7 @@ Gossip encryption can also be enabled on an existing cluster, but requires sever ```sh $ consul keygen -JY34uTPZyfUE+6tinMYEVw== +pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s= ``` **Step 2**: Set the [`encrypt`](/docs/agent/options.html#_encrypt) key, and set `encrypt_verify_incoming` and `encrypt_verify_outgoing` to `false` in the agent configuration file. Then initiate a rolling update of the cluster with these new values. After this step, the agents will be able to decrypt gossip but will not yet be sending encrypted traffic. @@ -75,7 +75,7 @@ JY34uTPZyfUE+6tinMYEVw== "log_level": "INFO", "node_name": "bulldog", "server": true, - "encrypt": "JY34uTPZyfUE+6tinMYEVw==", + "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=", "encrypt_verify_incoming": false, "encrypt_verify_outgoing": false } @@ -91,7 +91,7 @@ A rolling update can be made by restarting the Consul agents (clients and server "log_level": "INFO", "node_name": "bulldog", "server": true, - "encrypt": "JY34uTPZyfUE+6tinMYEVw==", + "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=", "encrypt_verify_incoming": false, "encrypt_verify_outgoing": true } @@ -105,7 +105,7 @@ A rolling update can be made by restarting the Consul agents (clients and server "log_level": "INFO", "node_name": "bulldog", "server": true, - "encrypt": "JY34uTPZyfUE+6tinMYEVw==", + "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=", "encrypt_verify_incoming": true, "encrypt_verify_outgoing": true } @@ -139,7 +139,7 @@ After TLS has been configured on all the agents, you can start the agents and RP "log_level": "INFO", "node_name": "bulldog", "server": true, - "encrypt": "JY34uTPZyfUE+6tinMYEVw==", + "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=", "verify_incoming": true, "verify_outgoing": true, "verify_server_hostname": true, @@ -165,7 +165,7 @@ Enabling TLS on an existing cluster is supported. This process assumes a startin "log_level": "INFO", "node_name": "bulldog", "server": true, - "encrypt": "JY34uTPZyfUE+6tinMYEVw==", + "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=", "verify_incoming": false, "verify_outgoing": false, "ca_file": "consul-agent-ca.pem", @@ -187,7 +187,7 @@ Next, perform a rolling restart of each agent in the cluster. After this step, T "log_level": "INFO", "node_name": "bulldog", "server": true, - "encrypt": "JY34uTPZyfUE+6tinMYEVw==", + "encrypt": "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=", "verify_incoming": true, "verify_outgoing": true, "verify_server_hostname": true, diff --git a/website/source/docs/guides/deployment-guide.html.md b/website/source/docs/guides/deployment-guide.html.md index c76b726667..411cab9563 100644 --- a/website/source/docs/guides/deployment-guide.html.md +++ b/website/source/docs/guides/deployment-guide.html.md @@ -151,7 +151,7 @@ Add this configuration to the `consul.hcl` configuration file: ```hcl datacenter = "dc1" data_dir = "/opt/consul" -encrypt = "Luj2FZWwlt8475wD1WtwUQ==" +encrypt = "pUqJrVyVRj5jsiYEkM/tFQYfWyJIv4s3XkvDwy7Cu5s=" ``` - [`datacenter`](/docs/agent/options.html#_datacenter) - The datacenter in which the agent is running.