kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-06 10:25:42 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
0367b60ca9b06d2f5801ac22e209d7fecd929d37
nomad/website/content/docs/configuration/keyring/index.mdx
Aimee Ukasick 53b083b8c5 Docs: Nomad IA (#26063) 
* Move commands from docs to its own root-level directory

* temporarily use modified dev-portal branch with nomad ia changes

* explicitly clone nomad ia exp branch

* retrigger build, fixed dev-portal broken build

* architecture, concepts and get started individual pages

* fix get started section destinations

* reference section

* update repo comment in website-build.sh to show branch

* docs nav file update capitalization

* update capitalization to force deploy

* remove nomad-vs-kubernetes dir; move content to what is nomad pg

* job section

* Nomad operations category, deploy section

* operations category, govern section

* operations - manage

* operations/scale; concepts scheduling fix

* networking

* monitor

* secure section

* remote auth-methods folder and move up pages to sso; linkcheck

* Fix install2deploy redirects

* fix architecture redirects

* Job section: Add missing section index pages

* Add section index pages so breadcrumbs build correctly

* concepts/index fix front matter indentation

* move task driver plugin config to new deploy section

* Finish adding full URL to tutorials links in nav

* change SSO to Authentication in nav and file system

* Docs NomadIA: Move tutorials into NomadIA branch (#26132)

* Move governance and policy from tutorials to docs

* Move tutorials content to job-declare section

* run jobs section

* stateful workloads

* advanced job scheduling

* deploy section

* manage section

* monitor section

* secure/acl and secure/authorization

* fix example that contains an unseal key in real format

* remove images from sso-vault

* secure/traffic

* secure/workload-identities

* vault-acl change unseal key and root token in command output sample

* remove lines from sample output

* fix front matter

* move nomad pack tutorials to tools

* search/replace /nomad/tutorials links

* update acl overview with content from deleted architecture/acl

* fix spelling mistake

* linkcheck - fix broken links

* fix link to Nomad variables tutorial

* fix link to Prometheus tutorial

* move who uses Nomad to use cases page; move spec/config shortcuts

add dividers

* Move Consul out of Integrations; move namespaces to govern

* move integrations/vault to secure/vault; delete integrations

* move ref arch to docs; rename Deploy Nomad back to Install Nomad

* address feedback

* linkcheck fixes

* Fixed raw_exec redirect

* add info from /nomad/tutorials/manage-jobs/jobs

* update page content with newer tutorial

* link updates for architecture sub-folders

* Add redirects for removed section index pages. Fix links.

* fix broken links from linkcheck

* Revert to use dev-portal main branch instead of nomadIA branch

* build workaround: add intro-nav-data.json with single entry

* fix content-check error

* add intro directory to get around Vercel build error

* workound for emtpry directory

* remove mdx from /intro/ to fix content-check and git snafu

* Add intro index.mdx so Vercel build should work

---------

Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
2025-07-08 19:24:52 -05:00

111 lines
4.3 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: keyring Block in Agent Configuration
description: >-
Configure keyring protection behavior in the `keyring` block of a Nomad agent configuration. Enable a keyring and configure a name. Learn how to configure keyring high availability (HA) and migrate keyrings.
---
# `keyring` Block in Agent Configuration
<Placement groups={['keyring']} />
This page provides reference information for configuring keyring protection
behavior in the `keyring` block of a Nomad agent configuration. Enable a keyring
and configure a name. Learn how to configure keyring high availability (HA) and
migrate keyrings.
The `keyring` block configures how the Nomad server protects the keyring used
for encrypting [variables][] and signing [workload identities][]. By default,
Nomad encrypts the key material with a unique key encryption key (KEK) that is
not shared between servers, and writes the wrapped key material to disk as
described in [Key Management][]. Nomad refers to this as `"aead"` (authenticated
encryption with associated data). Using the `keyring` configuration block, Nomad
servers can instead use an external key management system (KMS) or Vault transit
encryption. The encrypted key is stored on disk but is now protected against
offline attacks because the KEK is not present in the file.
All `keyring` blocks require a label for the KMS type. Each external KMS has its
own configuration options. The `keyring` block only applies to Nomad servers,
not Nomad clients.
```hcl
keyring [TYPE] {
name = "example"
active = true
}
```
The default `keyring` configuration is as follows:
```hcl
keyring "aead" {
active = true
}
```
## `keyring` Parameters
All `keyring` blocks support the following parameters.
- `name` `(string: "")` - A unique identifier for the `keyring` block, used to
disambiguate when there are multiple blocks of the same type.
- `active` `(bool: false)` - Indicates which block to use for encrypting
keys. For existing servers, changing which block is `active` only impacts new
keys created by a [key rotation][]. Existing keys are encrypted with the
previous `active` block, so those blocks should not be removed from the
configuration until they have been garbage collected and the keys have been
removed from the keystore. In Nomad Community Edition, only a single keyring
can be `active` at a time.
## Migrating Keyrings
To migrate to a new keyring, add the new `keyring` block to the servers with
`active=true`, and restart the servers. The server starts using the new keyring
wrapper when the current key is rotated either periodically or via the [`nomad
operator root keyring rotate`][keyring_rotate_cmd] command.
Adding or removing a keyring requires restarting the Nomad server. You should
not remove a keyring until all keys it wraps have been garbage collected. You
can examine the contents of the `keystore` directory found in the Nomad server's
data directory and compare this against the output of [`nomad operator root
keyring list`][keyring_list_cmd].
## High Availability
<EnterpriseAlert product="nomad"/>
Keyring high availability provides the means to configure multiple active
`keyring` blocks, in order to have resilience against an outage of an external
KMS. When there are multiple `keyring` blocks with `active = true`, Nomad
Enterprise encrypts each key it creates in all the active KMS providers. On
startup, Nomad tries each KMS provider in order until it finds a provider that
can decrypt each key.
In this example high availability configuration, both `keyring` blocks use the
`"awskms"` provider, but each block uses a different KMS key in a different AWS
region.
```hcl
keyring "awskms" {
active = true
name = "kms-us-east-1"
region = "us-east-1"
kms_key_id = "arn:aws:kms:us-east-1:000000000000:key/7d23633a-4464-11ef-a273-abd12example"
}
keyring "awskms" {
active = true
name = "kms-us-east-2"
region = "us-east-2"
kms_key_id = "alias/nomad-keyring-us-east-2"
}
```
[variables]: /nomad/docs/concepts/variables
[workload identities]: /nomad/docs/concepts/workload-identity
[Key Management]: /nomad/docs/manage/key-management
[key rotation]: /nomad/docs/manage/key-management#key-rotation
[keyring_rotate_cmd]: /nomad/commands/operator/root/keyring-rotate
[keyring_list_cmd]: /nomad/commands/operator/root/keyring-list
Reference in New Issue View Git Blame Copy Permalink