mirror of https://github.com/status-im/consul.git
Final edits to encryption doc.
This commit is contained in:
parent
02c7ed0e94
commit
3a184a06f7
|
@ -15,10 +15,10 @@ There are two separate encryption systems, one for gossip traffic and one for RP
|
|||
## Gossip Encryption
|
||||
|
||||
Enabling gossip encryption only requires that you set an encryption key when
|
||||
starting the Consul agent. The key can be set via the `encrypt` parameter: this
|
||||
starting the Consul agent. The key can be set via the `encrypt` parameter: the
|
||||
value of this setting is a configuration file containing the encryption key.
|
||||
|
||||
The key must be 16-bytes, Base64 encoded. As a convenience, Consul contains the
|
||||
The key must be 16-bytes, Base64 encoded. As a convenience, Consul provides the
|
||||
`consul keygen` commmand to generate a cryptographically suitable key:
|
||||
|
||||
```text
|
||||
|
@ -57,13 +57,14 @@ Consul supports using TLS to verify the authenticity of servers and clients. To
|
|||
Consul requires that all clients and servers have key pairs that are generated by a single
|
||||
Certificate Authority. This can be a private CA, used only internally. The
|
||||
CA then signs keys for each of the agents, as in
|
||||
[this tutorial on generationg both a CA and signing keys](https://langui.sh/2009/01/18/openssl-self-signed-ca/)
|
||||
[this tutorial on generating both a CA and signing keys](https://langui.sh/2009/01/18/openssl-self-signed-ca/)
|
||||
using OpenSSL. Note: client certificates must have
|
||||
[Extended Key Usage](https://www.openssl.org/docs/apps/x509v3_config.html#extended_key_usage_) enabled
|
||||
for client and server authentication.
|
||||
|
||||
TLS can be used to verify the authenticity of the servers or verify the authenticity of clients. These modes are
|
||||
controlled by the `verify_outgoing` and `verify_incoming` [options](/docs/agent/options.html), respectively.
|
||||
TLS can be used to verify the authenticity of the servers or verify the authenticity of clients.
|
||||
These modes are controlled by the `verify_outgoing` and `verify_incoming` [options](/docs/agent/options.html),
|
||||
respectively.
|
||||
|
||||
If `verify_outgoing` is set, agents verify the authenticity of Consul for outgoing
|
||||
connections. Server nodes must present a certificate signed by the certificate authority
|
||||
|
|
Loading…
Reference in New Issue