Merge pull request #664 from ryanbreen/master

Grammatical cleanups to doc/agent/encryption
This commit is contained in:
Armon Dadgar 2015-02-02 13:30:34 -08:00
commit cd0558c6a3
1 changed files with 28 additions and 29 deletions

View File

@ -3,31 +3,31 @@ layout: "docs"
page_title: "Encryption"
sidebar_current: "docs-agent-encryption"
description: |-
The Consul agent supports encrypting all of its network traffic. The exact method of this encryption is described on the encryption internals page. There are two separate systems, one for gossip traffic and one for RPC.
The Consul agent supports encrypting all of its network traffic. The exact method of encryption is described on the encryption internals page. There are two separate encryption systems, one for gossip traffic and one for RPC.
---
# Encryption
The Consul agent supports encrypting all of its network traffic. The exact
method of this encryption is described on the
[encryption internals page](/docs/internals/security.html). There are two
separate systems, one for gossip traffic and one for RPC.
method of encryption is described on the [encryption internals page](/docs/internals/security.html).
There are two separate encryption systems, one for gossip traffic and one for RPC.
## Gossip Encryption
Enabling gossip encryption only requires that you set an encryption key when
starting the Consul agent. The key can be set by setting the `encrypt` parameter
in a configuration file for the agent. The key must be 16-bytes that are base64
encoded. The easiest method to obtain a cryptographically suitable key is by
using `consul keygen`.
starting the Consul agent. The key can be set via the `encrypt` parameter: the
value of this setting is a configuration file containing the encryption key.
The key must be 16-bytes, Base64 encoded. As a convenience, Consul provides the
`consul keygen` commmand to generate a cryptographically suitable key:
```text
$ consul keygen
cg8StVXbQJ0gPvMd9o7yrg==
```
With that key, you can enable encryption on the agent. You can verify
encryption is enabled because the output will include "Encrypted: true".
With that key, you can enable encryption on the agent. If encryption is enabled,
the output of `consul agent` will include "Encrypted: true":
```text
$ cat encrypt.json
@ -53,28 +53,27 @@ order to send and receive cluster information.
# RPC Encryption with TLS
Consul supports using TLS to verify the authenticity of servers and clients. For this
to work, Consul requires that all clients and servers have key pairs that are generated
by a single Certificate Authority. This can be a private CA, used only internally. The
CA then signs keys for each of the agents. [Here](https://langui.sh/2009/01/18/openssl-self-signed-ca/)
is a tutorial on generating both a CA and signing keys using OpenSSL. Client certificates
must have extended key usage enabled for client and server authentication.
Consul supports using TLS to verify the authenticity of servers and clients. To enable this,
Consul requires that all clients and servers have key pairs that are generated by a single
Certificate Authority. This can be a private CA, used only internally. The
CA then signs keys for each of the agents, as in
[this tutorial on generating both a CA and signing keys](https://langui.sh/2009/01/18/openssl-self-signed-ca/)
using OpenSSL. Note: client certificates must have
[Extended Key Usage](https://www.openssl.org/docs/apps/x509v3_config.html#extended_key_usage_) enabled
for client and server authentication.
There are a number of things to consider when setting up TLS for Consul. Either we can
use TLS just to verify the authenticity of the servers, or we can also verify the authenticity
of clients. The former can be used to prevent unauthorized access. This behavior is controlled
using either the `verify_incoming` and `verify_outgoing` [options](/docs/agent/options.html).
TLS can be used to verify the authenticity of the servers or verify the authenticity of clients.
These modes are controlled by the `verify_outgoing` and `verify_incoming` [options](/docs/agent/options.html),
respectively.
If `verify_outgoing` is set, then agents verify the authenticity of Consuls for outgoing
connections. This means server nodes must present a certificate signed by the `ca_file` that
the agent has. This option must be set on all agents, and there must be a `ca_file` provided
to check the certificate against. If this is set, then all server nodes must have an appropriate
key pair set using `cert_file` and `key_file`.
If `verify_outgoing` is set, agents verify the authenticity of Consul for outgoing
connections. Server nodes must present a certificate signed by the certificate authority
present on all agents, set via the agent's `ca_file` option. All server nodes must have an
appropriate key pair set using `cert_file` and `key_file`.
If `verify_incoming` is set, then the servers verify the authenticity of all incoming
connections. Servers will also disallow any non-TLS connections. If this is set, then all
clients must have a valid key pair set using `cert_file` and `key_file`. To force clients to
use TLS, `verify_outgoing` must also be set.
If `verify_incoming` is set, the servers verify the authenticity of all incoming
connections. All clients must have a valid key pair set using `cert_file` and `key_file`. Servers will
also disallow any non-TLS connections. To force clients to use TLS, `verify_outgoing` must also be set.
TLS is used to secure the RPC calls between agents, but gossip between nodes is done over UDP
and is secured using a symmetric key. See above for enabling gossip encryption.