Encrypted communication between Consul agents

This topic provides an overview of the two distinct encryption systems available in Consul. Gossip encryption and Mutual TLS encryption are the foundations of a secure Consul datacenter.

The guidelines in the Consul security model for operating a secure Consul deployment recommends using both encryption systems.

Gossip Encryption

Consul uses a gossip protocol to perform the following cluster operations:

• Identify datacenter members.
• Quickly detect failed members and notify the rest of the cluster.
• Broadcast events and queries that can trigger custom workflows.

The gossip protocol, as well as its membership management and message broadcasting features, use the Serf library.

In a default Consul configuration, the gossip protocol uses port 8301 for LAN communications and port 8302 for WAN communications between federated datacenters. Enabling gossip encryption on a Consul datacenter is required to secure traffic on these two ports.

Gossip encryption is symmetric and based on a single key that is shared across all members of the datacenter. You can configure gossip encryption in Consul using the following parameters:

• encrypt.
• encrypt_verify_incoming. Only used when upshifting from unencrypted to encrypted gossip on a running cluster.
• encrypt_verify_outgoing. Only used when upshifting from unencrypted to encrypted gossip on a running cluster.

To learn more about enabling gossip encryption on your Consul datacenter and rotating gossip keys, refer to manage gossip encryption.

Mutual TLS (mTLS) Encryption

Consul uses several communication protocols over different ports that you can secure using mTLS:

• A consensus protocol provides data consistency between Consul servers. It typically uses port 8300.
• Remote Procedure Calls (RPC) forward requests from client agents to server agents. They use the same port the consensus protocol uses.
• An HTTP or HTTPS interface permits client communication with the Consul API, CLI, and UI. It typically uses port 8500 and port 8501.
• A gRPC interface receives incoming traffic from the gateways and Envoy proxies registered to the agent node. It typically uses port 8502 and port 8503.

Consul uses mTLS to verify the authenticity of server and client agents. It requires that all clients and servers have key pairs that are generated by a single Certification Authority (CA). We recommend using a private CA that is not shared with other applications.

You can configure mTLS in Consul using the tls stanza in agent configuration files.

You can configure mTLS encryption for each protocol separately using the following parameters in the agent configuration file:

• tls.defaults provides default settings that Consul applies to every interface unless explicitly overridden by protocol-specific configurations.
• tls.internal_rpc provides settings for the internal server RPC interface.
• tls.https provides settings for the HTTP/HTTPS interface.
• tls.grpc provides settings for the gRPC/xDS interface.

To learn more about enabling mTLS on your Consul datacenter, refer to Manage mTLS encryption.