status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Final edits to encryption doc.

This commit is contained in:
Ryan Breen 2015-01-31 22:05:00 -05:00
parent 02c7ed0e94
commit 3a184a06f7
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
website/source/docs/agent/encryption.html.markdown
View File

@ -15,10 +15,10 @@ There are two separate encryption systems, one for gossip traffic and one for RP
## Gossip Encryption ## Gossip Encryption
Enabling gossip encryption only requires that you set an encryption key when Enabling gossip encryption only requires that you set an encryption key when
starting the Consul agent. The key can be set via the `encrypt` parameter: this starting the Consul agent. The key can be set via the `encrypt` parameter: the
value of this setting is a configuration file containing the encryption key. value of this setting is a configuration file containing the encryption key.
The key must be 16-bytes, Base64 encoded. As a convenience, Consul contains the The key must be 16-bytes, Base64 encoded. As a convenience, Consul provides the
`consul keygen` commmand to generate a cryptographically suitable key: `consul keygen` commmand to generate a cryptographically suitable key:
```text ```text
@ -57,13 +57,14 @@ Consul supports using TLS to verify the authenticity of servers and clients. To
Consul requires that all clients and servers have key pairs that are generated by a single Consul requires that all clients and servers have key pairs that are generated by a single
Certificate Authority. This can be a private CA, used only internally. The Certificate Authority. This can be a private CA, used only internally. The
CA then signs keys for each of the agents, as in CA then signs keys for each of the agents, as in
[this tutorial on generationg both a CA and signing keys](https://langui.sh/2009/01/18/openssl-self-signed-ca/) [this tutorial on generating both a CA and signing keys](https://langui.sh/2009/01/18/openssl-self-signed-ca/)
using OpenSSL. Note: client certificates must have using OpenSSL. Note: client certificates must have
[Extended Key Usage](https://www.openssl.org/docs/apps/x509v3_config.html#extended_key_usage_) enabled [Extended Key Usage](https://www.openssl.org/docs/apps/x509v3_config.html#extended_key_usage_) enabled
for client and server authentication. for client and server authentication.
TLS can be used to verify the authenticity of the servers or verify the authenticity of clients. These modes are TLS can be used to verify the authenticity of the servers or verify the authenticity of clients.
controlled by the `verify_outgoing` and `verify_incoming` [options](/docs/agent/options.html), respectively. These modes are controlled by the `verify_outgoing` and `verify_incoming` [options](/docs/agent/options.html),
respectively.
If `verify_outgoing` is set, agents verify the authenticity of Consul for outgoing If `verify_outgoing` is set, agents verify the authenticity of Consul for outgoing
connections. Server nodes must present a certificate signed by the certificate authority connections. Server nodes must present a certificate signed by the certificate authority