You can either configure the initial encryption key in the configuration file under the
encrypt parameter in configuration or using the
-encrypt CLI flag.
That is used to join the gossip pool at first startup and in a default configuration setting will be ignored once the key gets rotated, meaning that the node will use the new key that gets automatically distributed to all live agents during the rotation.
The key will be stored on each agent local keyring file at
<data_dir>/serf/local.keyring and that file will have priority over the config or CLI parameter.
If you set disable_keyring_file to
true in configuration then the agent will not store the keys in a keyring file and you will need to pass a valid gossip key on agent restarts.
The same will happen in case you remove the client data directory before restart.
The tutorial wanted to demonstrate all the steps needed “from 0 to key rotation”, another option if you do not want to generate the initial key and pass it to the clients is to use auto_config. This will take care of the key creation and distribution for you but will not yet rotate it and you will have to use the
consul keyring command to do it.
Hope this helps.