Categories
DevOps

How to change encryption key used for gossip messages

Change encryption key used for gossip messages.

List current key.

$ consul keyring -list
==> Gathering installed encryption keys...

WAN:
  AcHUV+z4kLDJiQeVqLAh2sG25SH4K4WYU6oIru29lSM= [3/3]

dc-lab-1 (LAN):
  AcHUV+z4kLDJiQeVqLAh2sG25SH4K4WYU6oIru29lSM= [3/3]

Generate new encryption key.

$ consul keygen
yGXbSTif+f6XSnhfQGHqrnpYvMdmeRhPiggcEOyGObI=

Distribute new encryption key to every member in the cluster.

$ consul keyring -install=yGXbSTif+f6XSnhfQGHqrnpYvMdmeRhPiggcEOyGObI=
==> Installing new gossip encryption key...

List encryption keys.

$ consul keyring -list
==> Gathering installed encryption keys...

WAN:
  AcHUV+z4kLDJiQeVqLAh2sG25SH4K4WYU6oIru29lSM= [3/3]
  yGXbSTif+f6XSnhfQGHqrnpYvMdmeRhPiggcEOyGObI= [3/3]

dc-lab-1 (LAN):
  AcHUV+z4kLDJiQeVqLAh2sG25SH4K4WYU6oIru29lSM= [3/3]
  yGXbSTif+f6XSnhfQGHqrnpYvMdmeRhPiggcEOyGObI= [3/3]

Switch to new key.

$ consul keyring -use=yGXbSTif+f6XSnhfQGHqrnpYvMdmeRhPiggcEOyGObI=
==> Changing primary gossip encryption key...

Display only primary encryption key to confirm the change.

$ consul keyring -list-primary
==> Gathering installed primary encryption keys...

WAN:
  yGXbSTif+f6XSnhfQGHqrnpYvMdmeRhPiggcEOyGObI= [3/3]

dc-lab-1 (LAN):
  yGXbSTif+f6XSnhfQGHqrnpYvMdmeRhPiggcEOyGObI= [3/3]

Remove old encryption key.

$ consul keyring -remove=AcHUV+z4kLDJiQeVqLAh2sG25SH4K4WYU6oIru29lSM=
==> Removing gossip encryption key...

List installed encryption keys.

$ consul keyring -list 
==> Gathering installed encryption keys...

WAN:
  yGXbSTif+f6XSnhfQGHqrnpYvMdmeRhPiggcEOyGObI= [3/3]

dc-lab-1 (LAN):
  yGXbSTif+f6XSnhfQGHqrnpYvMdmeRhPiggcEOyGObI= [3/3]

Remember to reflect this change in your configuration, especially when using ansible or other configuration-management tools.