Enable TLS Encryption for Nomad agents

Hi,

Gone though the documentation Enable TLS Encryption for Nomad | Nomad - HashiCorp Learn to understand the steps for enabling the TLS encryption for the Nomad agents. But curious to know is there any way we can configure the password protected keystore? Any suggestions.

If possible, could you please suggest how the password can be configured.

Hi @ananthakrishna.udupa! What password protected keystore are you referring to? Nomad doesn’t use passwords at all, just mTLS certs (which you’ve seen), the gossip key, and ACL tokens (see Secure Nomad with Access Control | Nomad - HashiCorp Learn)

Thanks @tgross. Here password protected keystore file means, we can create a keystore file with or without password. The file what we configure for “key_file” in tls stanza.

Ex:
command to create a password-protected, 2048-bit private key ( domain.key ):
openssl genrsa -des3 -out domain.key 2048

Without password
openssl genrsa -out domain.key 2048

Any update on the above use case? Thanks in advance

The tls stanza doc doesn’t mention passwords anywhere and I wasn’t able to find any references in the Learn guides, so it doesn’t seem like it’s a supported feature right now.

1 Like

Sorry I missed this had been updated. @tonino has it right, that’s not a feature we support for TLS certs. I’m going to admit I’m not sure I’ve ever seen a server application that supports passwords on its own certs… the application would need some way of getting the password, which would end up being on disk and have effectively the same exposure as the certs themselves would.