Consul: support multiple datacenters with diffrent encryption keys

Created on 13 Aug 2015  路  6Comments  路  Source: hashicorp/consul

I have two datacenters, they use diffrent encryption keys. So the consul join -wan will failed with "[ERR] memberlist: failed to receive: No installed keys could decrypt the message".

I run the consul keyring --list, it tell me the WAN and LAN use the same encryption key .

Is there a way to make the WAN and LAN to use the diffrent key, so I can use the WAN encryption key only for communication with other datacenter.

typenhancement
Source
picture wayhome
👍4

Most helpful comment

Any updates on this issue ?

picture pradeepnss on 30 Aug 2016
👍6

All 6 comments

I am impacted by the same issue on consul 0.5.2

We've added encryption to ensure that no poorly configured agent could make two clusters join by mistake (which is hard to undo).

But now encrypted clusters cannot talk to each other via wan.

It this behavior the intent?

kamaradclimber picture kamaradclimber on 15 Feb 2016

Hi @youngking and @kamaradclimber you are correct, the current key goes to both WAN and LAN. We will take a look at making this more flexible.

slackpad picture slackpad on 17 Feb 2016

Any updates on this issue ?

pradeepnss picture pradeepnss on 30 Aug 2016
👍6

for the moment, the only help to get this going is to write into the remote keyring yourself and then restart the servers. And don't use the keyring command or API after that 8)

xavvo picture xavvo on 20 Feb 2017

We are going to close this out against the network areas feature in Consul Enterprise.

Network areas perform all their gossip over TCP, which can be secured with TLS, so this is a much more manageable solution than supporting multiple gossip keys for the WAN. After looking into this, the plumbing and management around gossip keys is really complex, so adding the ability to selectively manage different keys in different datacenters would be difficult to implement and use. Network areas, in combination with new TLS configs like ca_path make it much easier to delegate authority and manage encryption when there are a large number of Consul clusters joined on the WAN.

slackpad picture slackpad on 11 May 2017
👎1

Hmmm. Can I read this, that we will have network areas available to the public any time soon?

xavvo picture xavvo on 7 Jun 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

wargamez picture wargamez  路  4Comments
sandstrom picture sandstrom  路  3Comments
deadjoe picture deadjoe  路  4Comments
hooksie1 picture hooksie1  路  3Comments
runswithd6s picture runswithd6s  路  3Comments