In this guide, you’ll secure all gossip traffic within an existing HashiCorp Consul cluster by enabling gossip encryption and message verification. By default, gossip communications are unencrypted. We’ll update each server’s agent configuration to use a shared encryption key and enable both incoming and outgoing verification.
Table of Contents
Check Current Configuration Enable Gossip Encryption Validate Encryption Links and References
1. Check Current Configuration First, verify that your cluster is using a shared encryption key but has message verification disabled.
Consul Node Configuration Path Action Node A /etc/consul.d/config.hclOpen and inspect existing settings Node B /etc/consul.d/config.hclVerify identical encrypt value
On Consul Node A sudo vi /etc/consul.d/config.hcl
You should see an HCL block similar to:
{ "log_level" : "INFO" , "node_name" : "consul-node-a" , "server" : true , "ui" : true , "leave_on_terminate" : true , "data_dir" : "/etc/consul.d/data/" , "datacenter" : "us-east-1" , "client_addr" : "0.0.0.0" , "bind_addr" : "10.0.101.110" , "advertise_addr" : "10.0.101.110" , "retry_join" : [ "10.0.101.248" ], "bootstrap_expect" : 2 , "enable_syslog" : true , "encrypt" : "62qhd/DH15Axr01MRUpMkvt53p4FAvu+FgARDUaMzA=" , "encrypt_verify_incoming" : false , "encrypt_verify_outgoing" : false , "connect" : { "enabled" : true }, "acl" : { "enabled" : true , "default_policy" : "allow" , "down_policy" : "extend-cache" }, "performance" : { "raft_multiplier" : 1 } }
To generate or rotate a gossip encryption key, run: Ensure the same key appears in every server’s encrypt field. On Consul Node B sudo vi /etc/consul.d/config.hcl
Confirm the encrypt value matches Node A and that both verification flags are set to false.
{ "node_name" : "consul-node-b" , // ... "encrypt" : "62qhd/DH15Axr01MRUpMkvt53p4FAvu+FgARDUaMzA=" , "encrypt_verify_incoming" : false , "encrypt_verify_outgoing" : false , // ... }
Restart Agents to View Current State sudo systemctl restart consul journalctl -u consul --no-pager | grep "Encrypt:"
Expected log output:
Encrypt: Gossip: true, TLS-Incoming: false, TLS-Outgoing: false
2. Enable Gossip Encryption Follow two steps to fully secure gossip traffic:
Step Flag to Enable 1 encrypt_verify_outgoing = true2 encrypt_verify_incoming = true
Step 1: Enable Outgoing Verification Edit each node’s config.hcl:
{ // ... existing settings ... "encrypt_verify_incoming" : false , "encrypt_verify_outgoing" : true , // ... }
Restart the agent:
sudo systemctl restart consul
Step 2: Enable Incoming Verification Update both nodes again:
{ // ... existing settings ... "encrypt_verify_incoming" : true , "encrypt_verify_outgoing" : true , // ... }
Restart to apply changes:
sudo systemctl restart consul
Restarting the Consul agent will momentarily interrupt cluster membership. Perform these steps during a maintenance window.
3. Validate Encryption After enabling both flags, verify the cluster membership and confirm the encryption status in logs.
3.1 Check Cluster Membership Expected output:
Node Address Status Type Protocol DC consul-node-a 10.0.101.110:8301 alive server 2 us-east-1 consul-node-b 10.0.101.248:8301 alive server 2 us-east-1
3.2 Confirm Gossip Encryption in Logs journalctl -u consul --no-pager | grep "Encrypt:"
Look for:
Encrypt: Gossip: true, TLS-Incoming: false, TLS-Outgoing: false
Once verified, all gossip communication is encrypted and integrity-checked. Any new agent joining the cluster must include the same encrypt key in its configuration.
Links and References 
