Enable gossip encryption for Nomad
Nomad server's gossip protocol that is used to communicate membership and
liveness information can be encrypted with symmetric keys. Enabling gossip
encryption requires you to set an encryption key when starting the Nomad server.
The key can be set via the encrypt
parameter or with the -encrypt
command
line option. The key must be a base64-encoded string of 32 random bytes.
The same encryption key should be used on every server in a region.
Launch Terminal
This tutorial includes a free interactive command-line lab that lets you follow along on actual cloud infrastructure.
Note
To secure RPC and HTTP communication, you will need to configure TLS. You can learn how in the "Enable TLS Encryption for Nomad" guide.
Generate an encryption key
The Nomad CLI includes a operator gossip keyring generate
command for generating a new secure
gossip encryption key.
Current and older versions of nomad operator gossip keyring generate
return 16 bytes; however,
Nomad supports gossip encryption keys of 32 bytes as well. Supplying a 32 byte key
enables AES-256 mode, where supplying a 16 byte key enables AES-128 mode.
Alternatively, you can use any method that can create 32 random bytes encoded in base64.
Configure the server to use the key
Put the same generated key into every server's configuration file or command line arguments:
Restart the server to enable encryption
You can perform a rolling restart of the Nomad process on each of your server nodes to enable encryption. Restart your servers one at a time in order to maintain a quorum of nodes on one side or the other of this soft partition.
Once all of the nodes have been restarted all gossip traffic will be encrypted between all of your server nodes.
Next steps
If you would like to learn more technical information about Nomad's gossip protocol, consult the Serf library documentation.