HashiCorp Certified: Consul Associate Certification

Use Gossip Encryption

Demo Configure Gossip Encryption

In this guide, you'll secure all gossip traffic within an existing HashiCorp Consul cluster by enabling gossip encryption and message verification. By default, gossip communications are unencrypted. We’ll update each server’s agent configuration to use a shared encryption key and enable both incoming and outgoing verification.


Table of Contents

  1. Check Current Configuration
  2. Enable Gossip Encryption
  3. Validate Encryption
  4. Links and References

1. Check Current Configuration

First, verify that your cluster is using a shared encryption key but has message verification disabled.

Consul NodeConfiguration PathAction
Node A/etc/consul.d/config.hclOpen and inspect existing settings
Node B/etc/consul.d/config.hclVerify identical encrypt value

On Consul Node A

sudo vi /etc/consul.d/config.hcl

You should see an HCL block similar to:

{
  "log_level": "INFO",
  "node_name": "consul-node-a",
  "server": true,
  "ui": true,
  "leave_on_terminate": true,
  "data_dir": "/etc/consul.d/data/",
  "datacenter": "us-east-1",
  "client_addr": "0.0.0.0",
  "bind_addr": "10.0.101.110",
  "advertise_addr": "10.0.101.110",
  "retry_join": ["10.0.101.248"],
  "bootstrap_expect": 2,
  "enable_syslog": true,
  "encrypt": "62qhd/DH15Axr01MRUpMkvt53p4FAvu+FgARDUaMzA=",
  "encrypt_verify_incoming": false,
  "encrypt_verify_outgoing": false,
  "connect": { "enabled": true },
  "acl": {
    "enabled": true,
    "default_policy": "allow",
    "down_policy": "extend-cache"
  },
  "performance": { "raft_multiplier": 1 }
}

Note

To generate or rotate a gossip encryption key, run:

consul keygen

Ensure the same key appears in every server’s encrypt field.

On Consul Node B

sudo vi /etc/consul.d/config.hcl

Confirm the encrypt value matches Node A and that both verification flags are set to false.

{
  "node_name": "consul-node-b",
  // ...
  "encrypt": "62qhd/DH15Axr01MRUpMkvt53p4FAvu+FgARDUaMzA=",
  "encrypt_verify_incoming": false,
  "encrypt_verify_outgoing": false,
  // ...
}

Restart Agents to View Current State

sudo systemctl restart consul
journalctl -u consul --no-pager | grep "Encrypt:"

Expected log output:

Encrypt: Gossip: true, TLS-Incoming: false, TLS-Outgoing: false

2. Enable Gossip Encryption

Follow two steps to fully secure gossip traffic:

StepFlag to Enable
1encrypt_verify_outgoing = true
2encrypt_verify_incoming = true

Step 1: Enable Outgoing Verification

Edit each node’s config.hcl:

{
  // ... existing settings ...
  "encrypt_verify_incoming": false,
  "encrypt_verify_outgoing": true,
  // ...
}

Restart the agent:

sudo systemctl restart consul

Step 2: Enable Incoming Verification

Update both nodes again:

{
  // ... existing settings ...
  "encrypt_verify_incoming": true,
  "encrypt_verify_outgoing": true,
  // ...
}

Restart to apply changes:

sudo systemctl restart consul

Warning

Restarting the Consul agent will momentarily interrupt cluster membership. Perform these steps during a maintenance window.


3. Validate Encryption

After enabling both flags, verify the cluster membership and confirm the encryption status in logs.

3.1 Check Cluster Membership

consul members

Expected output:

NodeAddressStatusTypeProtocolDC
consul-node-a10.0.101.110:8301aliveserver2us-east-1
consul-node-b10.0.101.248:8301aliveserver2us-east-1

3.2 Confirm Gossip Encryption in Logs

journalctl -u consul --no-pager | grep "Encrypt:"

Look for:

Encrypt: Gossip: true, TLS-Incoming: false, TLS-Outgoing: false

Once verified, all gossip communication is encrypted and integrity-checked. Any new agent joining the cluster must include the same encrypt key in its configuration.


Watch Video

Watch video content

Practice Lab

Practice lab

Previous
Configure Gossip Encryption