Beta

HashiCorp Certified: Consul Associate Certification

Secure Agent Communication

Objective 7 Section Overview

In this lesson, we’ll cover how to secure communication between Consul agents in a datacenter. You will learn:

  1. Consul security model and threat assumptions
  2. TLS certificate types: server CA, client certificates, and more
  3. TLS encryption settings to fully lock down your Consul datacenter

The image outlines objectives for "Secure Agent Communication," focusing on understanding Consul security, differentiating certificate types for TLS encryption, and understanding TLS encryption settings for a secure datacenter. It also indicates a difficulty level of 2.

Table of Contents

Consul Security Model

Consul’s security model is built around a zero-trust philosophy, where every component must authenticate and authorize requests. The threat model assumes:

  • Agents or servers may be compromised.
  • Network traffic could be intercepted or manipulated.
  • Attackers might attempt to impersonate nodes or services.

Note

Consul uses mutual TLS (mTLS) to enforce identity verification and data confidentiality across all RPC calls.

Key Security Principles

  • Authentication: Verify node and service identity using TLS certificates.
  • Authorization: Control access via ACL tokens.
  • Encryption: Encrypt all RPC and gossip traffic with TLS.

TLS Certificate Types

Consul requires several certificate types to establish encrypted channels. Use the table below to understand their roles:

Certificate TypePurposeExample Configuration
Server CASigns TLS certificates for Consul serversca.pem
Client CertificateAuthenticates Consul clients (agents) to serversclient.pem, client-key.pem
Gossip Encryption KeySecures gossip layer traffic (optional)gossip-encryption-key

Warning

Protect your private keys (.pem files). Unauthorized access may allow attackers to impersonate nodes.

Configuring TLS Encryption

To enforce TLS encryption in Consul, update your agent and server configuration files (config.hcl) with the following parameters:

# Server configuration: config/server.hcl
server = true
verify_incoming = true
verify_outgoing = true
ca_file = "/etc/consul/tls/ca.pem"
cert_file = "/etc/consul/tls/server.pem"
key_file = "/etc/consul/tls/server-key.pem"

# Client (agent) configuration: config/client.hcl
verify_incoming = true
verify_outgoing = true
ca_file = "/etc/consul/tls/ca.pem"
cert_file = "/etc/consul/tls/client.pem"
key_file = "/etc/consul/tls/client-key.pem"

Additional setting for the gossip encryption key:

encrypt = "base64-encoded-gossip-key"

Best Practices

  • Rotate TLS certificates and gossip keys regularly.
  • Use a dedicated CA for your Consul datacenter.
  • Automate certificate issuance with HashiCorp Vault or your PKI.

Watch Video

Watch video content

Previous
Objective 6 Section Recap
Next
Consul SecurityThreat Model