How to get primary encryption key by HTTP API?

Hello all,

As I can see from HTTP API can be used for getting consul encryption key if we have Consul token, but this article does not cover the case when I want to get the primary encryption key.

During my research, I found that the primary key is in zero position all time, but it is not proved by documentation. My assumption was that I can get Consul encryption key by the following command:

curl -s http://<CONSUL_ADDR>8500/v1/operator/keyring?token=<CONSUL_ACL_TOKEN> | jq -r -c '.[] | select( .WAN == true ) | .Keys | keys[0]'

Can you confirm or disprove this way for getting the encryption key via HTTP API, please?

My version of Consul is 1.2.2.

Hi! Thanks for reaching out!

All keys are treated equally which means there is no primary encryption key. Maybe you could share more details about your use case so I can better understand what you are looking for.


My question is in the next:

during the rotation process, some of the keys that will be returned by this API can be inactive. I want to be sure that the key that I’ll get by using this API will be active.

Hi! So I was wrong! There is a primary encryption key. This is the key that is used by the agent to encrypt gossip communication.

Every agent maintains its own list of keys. And one of them is the primary one, which means it is used to encrypt messages.

You can read about it here: and here:

If you want to be sure what the primary key is, you should be setting it yourself with: When you install a new key, it doesn’t mean it is going to be used for encryption. This key will be used for decryption, in case the primary one fails.

Lets assume you want to provision a new key, you would

  1. install new key and wait until every agent has it
  2. change the primary encryption key
  3. remove the old key

Let me know if that helps or if you need more information.