Skip to main content

Documentation Index

Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt

Use this file to discover all available pages before exploring further.

In this guide, you’ll secure all gossip traffic within an existing HashiCorp Consul cluster by enabling gossip encryption and message verification. By default, gossip communications are unencrypted. We’ll update each server’s agent configuration to use a shared encryption key and enable both incoming and outgoing verification.

Table of Contents

  1. Check Current Configuration
  2. Enable Gossip Encryption
  3. Validate Encryption
  4. Links and References

1. Check Current Configuration

First, verify that your cluster is using a shared encryption key but has message verification disabled.
Consul NodeConfiguration PathAction
Node A/etc/consul.d/config.hclOpen and inspect existing settings
Node B/etc/consul.d/config.hclVerify identical encrypt value

On Consul Node A

sudo vi /etc/consul.d/config.hcl
You should see an HCL block similar to: 
{
  "log_level": "INFO",
  "node_name": "consul-node-a",
  "server": true,
  "ui": true,
  "leave_on_terminate": true,
  "data_dir": "/etc/consul.d/data/",
  "datacenter": "us-east-1",
  "client_addr": "0.0.0.0",
  "bind_addr": "10.0.101.110",
  "advertise_addr": "10.0.101.110",
  "retry_join": ["10.0.101.248"],
  "bootstrap_expect": 2,
  "enable_syslog": true,
  "encrypt": "62qhd/DH15Axr01MRUpMkvt53p4FAvu+FgARDUaMzA=",
  "encrypt_verify_incoming": false,
  "encrypt_verify_outgoing": false,
  "connect": { "enabled": true },
  "acl": {
    "enabled": true,
    "default_policy": "allow",
    "down_policy": "extend-cache"
  },
  "performance": { "raft_multiplier": 1 }
}
To generate or rotate a gossip encryption key, run:
consul keygen
Ensure the same key appears in every server’s encrypt field.

On Consul Node B

sudo vi /etc/consul.d/config.hcl
Confirm the encrypt value matches Node A and that both verification flags are set to false. 
{
  "node_name": "consul-node-b",
  // ...
  "encrypt": "62qhd/DH15Axr01MRUpMkvt53p4FAvu+FgARDUaMzA=",
  "encrypt_verify_incoming": false,
  "encrypt_verify_outgoing": false,
  // ...
}

Restart Agents to View Current State

sudo systemctl restart consul
journalctl -u consul --no-pager | grep "Encrypt:"
Expected log output: 
Encrypt: Gossip: true, TLS-Incoming: false, TLS-Outgoing: false

2. Enable Gossip Encryption

Follow two steps to fully secure gossip traffic:
StepFlag to Enable
1encrypt_verify_outgoing = true
2encrypt_verify_incoming = true

Step 1: Enable Outgoing Verification

Edit each node’s config.hcl: 
{
  // ... existing settings ...
  "encrypt_verify_incoming": false,
  "encrypt_verify_outgoing": true,
  // ...
}
Restart the agent: 
sudo systemctl restart consul

Step 2: Enable Incoming Verification

Update both nodes again: 
{
  // ... existing settings ...
  "encrypt_verify_incoming": true,
  "encrypt_verify_outgoing": true,
  // ...
}
Restart to apply changes: 
sudo systemctl restart consul
Restarting the Consul agent will momentarily interrupt cluster membership. Perform these steps during a maintenance window.

3. Validate Encryption

After enabling both flags, verify the cluster membership and confirm the encryption status in logs.

3.1 Check Cluster Membership

consul members
Expected output:
NodeAddressStatusTypeProtocolDC
consul-node-a10.0.101.110:8301aliveserver2us-east-1
consul-node-b10.0.101.248:8301aliveserver2us-east-1

3.2 Confirm Gossip Encryption in Logs

journalctl -u consul --no-pager | grep "Encrypt:"
Look for: 
Encrypt: Gossip: true, TLS-Incoming: false, TLS-Outgoing: false
Once verified, all gossip communication is encrypted and integrity-checked. Any new agent joining the cluster must include the same encrypt key in its configuration.

Watch Video

Practice Lab