Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds the ability for nodes to encrypt traffic between them using curve 25519 keys. The model does not use a trust relationship between the nodes based on the keys, the keys are used solely to further armor the encryption as it goes over the wire. This provides protection against people being able to intercept traffic and brute force the cluster wide encryption key.
Authorization to the cluster is provided by a new AccessKey config parameter, which is mixed into the shared secret derived from the public/private keys. This provides a similar access control mechanism as the current Secret Key mechanism, but without exposing the cluster to long term brute forcing.
The private keys used by each node are generated one node start, they are not stored on disk at all. This introduces the idea of an "encryption partition", where node A might send a message to node B with node B's old public key. B will thusly reject the message and node A will observe B as being down. This is effectively the same as if B were actually down. When node B started up, it sent it's new public key in alive messages to cluster members. Alive gossiping means that eventually A will observe B's new public key and the partition will be resolved.