HashiCorp Learn
Infrastructure
  • TerraformTerraformLearn terraformDocs
  • PackerPackerLearn packerDocs
  • VagrantVagrantLearn vagrantDocs
Security
  • VaultVaultLearn vaultDocs
  • BoundaryBoundaryLearn boundaryDocs
Networking
  • ConsulConsulLearn consulDocs
Applications
  • NomadNomadLearn nomadDocs
  • WaypointWaypointLearn waypointDocs
  • HashiCorp Cloud Platform (HCP) LogoHashiCorp Cloud Platform (HCP)HashiCorp Cloud Platform (HCP)Docs
Type '/' to Search
Loading account...
  • Bookmarks
  • Manage Account
  • Overview
  • Generate an encryption key
  • Configure the server to use the key
  • Restart the server to enable encryption
  • Next steps
DocsForum
Back to nomad
Transport SecurityView Collection
    Transport Security OverviewEnable Gossip Encryption for NomadEnable TLS Encryption for Nomad

Enable Gossip Encryption for Nomad

  • 2 min
  • Products Usednomad
  • This tutorial also appears in: Interactive.

Nomad server's gossip protocol that is used to communicate membership and liveness information can be encrypted with symmetric keys. Enabling gossip encryption requires you to set an encryption key when starting the Nomad server. The key can be set via the encrypt parameter or with the -encrypt command line option. The key must be a base64-encoded string of 32 random bytes. The same encryption key should be used on every server in a region.

Note: To secure RPC and HTTP communication, you will need to configure TLS. You can learn how in the "Enable TLS Encryption for Nomad" guide.

»Generate an encryption key

The Nomad CLI includes a operator keygen command for generating a new secure gossip encryption key.

$ nomad operator keygen
4kRkFQfcc3LU0BazP1ca+z==

Current and older versions of nomad operator keygen return 16 bytes; however, Nomad supports gossip encryption keys of 32 bytes as well. Supplying a 32 byte key enables AES-256 mode, where supplying a 16 byte key enables AES-128 mode.

Alternatively, you can use any method that can create 32 random bytes encoded in base64.

$ openssl rand -base64 32
4YwLQm6ZMwYgfldNBT5P76tAWMdcBmu+FPYRvCxvsHc=
$ dd if=/dev/urandom bs=32 count=1 status=none | base64
IisA4F7Mu/RwGfBZelcsFzMlJ4+twnO5Z7eoTzD0T6c=

»Configure the server to use the key

Put the same generated key into every server's configuration file or command line arguments:

server {
  enabled = true

  # Self-elect, should be 3 or 5 for production. This is only for single node
  # clusters which are strictly for development/demo.
  bootstrap_expect = 1

  # Encrypt gossip communication
  encrypt = "+p7iF56z0EWoSIvhpYHWXZrSAAtnjR9l6XHRzHqQKlg="
}

»Restart the server to enable encryption

You can perform a rolling restart of the Nomad process on each of your server nodes to enable encryption. Restart your servers one at a time in order to maintain a quorum of nodes on one side or the other of this soft partition.

Once all of the nodes have been restarted all gossip traffic will be encrypted between all of your server nodes.

»Next steps

If you would like to learn more technical information about Nomad's gossip protocol, consult the Serf library documentation.


Back to Collection
HashiCorp
  • System Status
  • Terms of Use
  • Security
  • Privacy
stdin: is not a tty