Consul
Encryption
This topic describes the two different encryption systems available in Consul to secure network traffic, Gossip encryption and mTLS.
Consul security model defines the guidelines for operating a secure Consul deployment. Its recommendations are applicable only if all parts of the system are running with a secure configuration.
Gossip Encryption and Mutual TLS Encryption are the foundations for a secure Consul datacenter.
Gossip Encryption
Consul uses a gossip protocol to manage membership and broadcast messages to the cluster.
Consul uses the gossip protocol to:
- Identify datacenter members.
- Quickly detect failed members and notify the rest of the cluster.
- Broadcast custom events and queries. These can be used to trigger custom workflows.
The protocol, membership management, and message broadcasting is provided through the Serf library.
Gossip protocol uses, in a default Consul configuration, ports 8301
for LAN based communications and 8302
for WAN based communications in federated datacenters. Enabling Gossip encryption on a Consul datacenter will secure traffic on these two ports.
Gossip encryption is symmetric and based on a single key that is shared across all members of the datacenter. You can configure gossip encryption in Consul using the following parameters:
encrypt
encrypt_verify_incoming
. Only used when upshifting from unencrypted to encrypted gossip on a running cluster.encrypt_verify_outgoing
. Only used when upshifting from unencrypted to encrypted gossip on a running cluster.
Learn more on how to enable gossip encryption on your Consul datacenter in Gossip Encryption documentation.
Mutual TLS (mTLS) Encryption
Consul uses other communication protocols over different ports:
- A consensus protocol, used to provide consistency over the cluster data stored by Consul servers. It typically uses port
8300
. - Remote Procedure Calls (RPC), to forward requests from client agents to server agents. They use the same port used by the consensus protocol.
- An HTTP[S] interface, typically exposed on ports
8500
and8501
. This interface is used to permit client communication using Consul API interface, CLI, and UI. - A gRPC[S] interface, to receive incoming traffic from the gateways and Envoy proxies registered to the agent node. These are typically exposed on ports
8502
and8503
.
All these channels can be secured using mTLS. Consul uses mTLS also to verify the authenticity of servers and clients.
To enable this, Consul requires that all clients and servers have key pairs that are generated by a single Certification Authority (CA). This should be a private CA, used only internally.
You can configure mTLS in Consul using the tls
stanza in the configuration files.
Since Consul 1.12
you can have different configuration stanzas for the different protocols:
tls.defaults
provides default settings that will be applied to every interface unless explicitly overridden by protocol specific configurations.tls.grpc
provides settings for the gRPC/xDS interface.tls.https
provides settings for the HTTPS interface.tls.internal_rpc
provides settings for the internal "server" RPC interface.
Learn more on how to enable mTLS on your Consul datacenter in mTLS encryption documentation.