kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-08 03:15:42 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
65c7f34f2d4c92ffbb51646aacc264f8db33cc06
nomad/website/content/docs/secure/traffic/gossip-encryption.mdx
Aimee Ukasick 53b083b8c5 Docs: Nomad IA (#26063) 
* Move commands from docs to its own root-level directory

* temporarily use modified dev-portal branch with nomad ia changes

* explicitly clone nomad ia exp branch

* retrigger build, fixed dev-portal broken build

* architecture, concepts and get started individual pages

* fix get started section destinations

* reference section

* update repo comment in website-build.sh to show branch

* docs nav file update capitalization

* update capitalization to force deploy

* remove nomad-vs-kubernetes dir; move content to what is nomad pg

* job section

* Nomad operations category, deploy section

* operations category, govern section

* operations - manage

* operations/scale; concepts scheduling fix

* networking

* monitor

* secure section

* remote auth-methods folder and move up pages to sso; linkcheck

* Fix install2deploy redirects

* fix architecture redirects

* Job section: Add missing section index pages

* Add section index pages so breadcrumbs build correctly

* concepts/index fix front matter indentation

* move task driver plugin config to new deploy section

* Finish adding full URL to tutorials links in nav

* change SSO to Authentication in nav and file system

* Docs NomadIA: Move tutorials into NomadIA branch (#26132)

* Move governance and policy from tutorials to docs

* Move tutorials content to job-declare section

* run jobs section

* stateful workloads

* advanced job scheduling

* deploy section

* manage section

* monitor section

* secure/acl and secure/authorization

* fix example that contains an unseal key in real format

* remove images from sso-vault

* secure/traffic

* secure/workload-identities

* vault-acl change unseal key and root token in command output sample

* remove lines from sample output

* fix front matter

* move nomad pack tutorials to tools

* search/replace /nomad/tutorials links

* update acl overview with content from deleted architecture/acl

* fix spelling mistake

* linkcheck - fix broken links

* fix link to Nomad variables tutorial

* fix link to Prometheus tutorial

* move who uses Nomad to use cases page; move spec/config shortcuts

add dividers

* Move Consul out of Integrations; move namespaces to govern

* move integrations/vault to secure/vault; delete integrations

* move ref arch to docs; rename Deploy Nomad back to Install Nomad

* address feedback

* linkcheck fixes

* Fixed raw_exec redirect

* add info from /nomad/tutorials/manage-jobs/jobs

* update page content with newer tutorial

* link updates for architecture sub-folders

* Add redirects for removed section index pages. Fix links.

* fix broken links from linkcheck

* Revert to use dev-portal main branch instead of nomadIA branch

* build workaround: add intro-nav-data.json with single entry

* fix content-check error

* add intro directory to get around Vercel build error

* workound for emtpry directory

* remove mdx from /intro/ to fix content-check and git snafu

* Add intro index.mdx so Vercel build should work

---------

Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
2025-07-08 19:24:52 -05:00

89 lines
2.9 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: Enable gossip encryption
description: |-
Create an encryption key and then configure Nomad to encrypt the gossip protocol, which communicates membership and node health information between Nomad servers.
---
# Enable gossip encryption
Nomad server's gossip protocol that is used to communicate membership and
liveness information can be encrypted with symmetric keys. Enabling gossip
encryption requires you to set an encryption key when starting the Nomad server.
The key can be set via the [`encrypt`] parameter or with the [`-encrypt` command
line option]. The key must be a base64-encoded string of 32 random bytes.
The same encryption key should be used on every server in a region.
<Note>
To secure RPC and HTTP communication, you will need to configure
TLS. You can learn how in the [Enable TLS encryption guide][tls-guide].
</Note>
## Generate an encryption key
The Nomad CLI includes a `operator gossip keyring generate` command for generating a new secure
gossip encryption key.
```shell-session
$ nomad operator gossip keyring generate
4kRkFQfcc3LU0BazP1ca+z==
```
Current and older versions of `nomad operator gossip keyring generate` return 16 bytes; however,
Nomad supports gossip encryption keys of 32 bytes as well. Supplying a 32 byte key
enables AES-256 mode, where supplying a 16 byte key enables AES-128 mode.
Alternatively, you can use any method that can create 32 random bytes encoded in
base64.
```shell-session
$ openssl rand -base64 32
4YwLQm6ZMwYgfldNBT5P76tAWMdcBmu+FPYRvCxvsHc=
```
```shell-session
$ dd if=/dev/urandom bs=32 count=1 status=none | base64
IisA4F7Mu/RwGfBZelcsFzMlJ4+twnO5Z7eoTzD0T6c=
```
## Configure the server to use the key
Put the same generated key into every server's configuration file or command
line arguments:
```hcl
server {
enabled = true
# Self-elect, should be 3 or 5 for production. This is only for single node
# clusters which are strictly for development/demo.
bootstrap_expect = 1
# Encrypt gossip communication
encrypt = "+p7iF56z0EWoSIvhpYHWXZrSAAtnjR9l6XHRzHqQKlg="
}
```
## Restart the server to enable encryption
You can perform a rolling restart of the Nomad process on each of your server
nodes to enable encryption. Restart your servers one at a time in order to
maintain a quorum of nodes on one side or the other of this soft partition.
Once all of the nodes have been restarted all gossip traffic will be encrypted
between all of your server nodes.
## Next steps
If you would like to learn more technical information about Nomad's gossip
protocol, consult the [Serf library] documentation.
[tls-guide]: /nomad/docs/secure/traffic/tls
[`-encrypt` command line option]: /nomad/commands/agent
[`encrypt`]: /nomad/docs/configuration/server#encrypt
[`nomad operator gossip keyring` command]: /nomad/commands/operator/gossip/keyring-generate
[serf library]: https://www.serf.io/docs/internals/gossip.html
[tls]: /nomad/docs/configuration/tls
Reference in New Issue View Git Blame Copy Permalink