How to get Consul's primary encryption key?

Consul
1

Here is a case, I need to join a new Consul agent to a Consul server.
Consul cluster uses encryption through a gossip protocol and has several encryption keys, one of the keys is primary.

consul-1.6.2 keyring -list
==> Gathering installed encryption keys...
WAN:
  MtCoI1jWxWBCjRTEinj2cg== [3/3]
  RLxxvdx3qxjB1rHXgAPT4w== [3/3]
  UK8AlLHvC6yjDG9P2JpR5A== [3/3]
  VTMnBMH96jMZODqqQKGkyw== [3/3]
  XSv1BNHSlWjOuc4h8S7PeA== [3/3]
  e2TodcvzA7M49fhGhR08bw== [3/3]
  hDht56QXx2XQ7WFgjbvV+Q== [3/3]
  iwXMy8F5zfoGHQof2AjKFQ== [3/3]
us-central1 (LAN):
  iwXMy8F5zfoGHQof2AjKFQ== [5/5]
  MtCoI1jWxWBCjRTEinj2cg== [5/5]
  RLxxvdx3qxjB1rHXgAPT4w== [5/5]
  UK8AlLHvC6yjDG9P2JpR5A== [5/5]
  VTMnBMH96jMZODqqQKGkyw== [5/5]
  XSv1BNHSlWjOuc4h8S7PeA== [5/5]
  e2TodcvzA7M49fhGhR08bw== [5/5]
  hDht56QXx2XQ7WFgjbvV+Q== [5/5]

How I can get the primary encryption key to join the client to the server using configuration key “encrypt”?

2

I didn’t find any API requests for it https://www.consul.io/api/operator/keyring.html

So I think, it isn’t necessary to get a primary encryption key, but what is the common practice then? The procedure “Change Primary Gossip Encryption Key” looks suitable.

Change primary encryption key, and use it instead of old, could someone approve my idea? What way do you use for it?

3

What you suggested sounds good to me! At the same time I wish there was an API to get the primary key. Feel free to create an issue for that.