cluster_backend_zeromq: Automatically enable encryption for multi-node clusters#106
Open
cluster_backend_zeromq: Automatically enable encryption for multi-node clusters#106
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
ckreibich
reviewed
Apr 14, 2026
Member
ckreibich
left a comment
ckreibich
left a comment
There was a problem hiding this comment.
LGTM Arne, I just have a quick question here about the choice of spool for the key info.
| ( | ||
| "curve_dir", | ||
| "string", | ||
| "${SpoolDir}/zeromq/curve", |
Member
There was a problem hiding this comment.
Would it be possible to make this ${CfgDir}? At least historically the spool is a transient storage place for data awaiting processing, so not a great fit for fixed configs.
Contributor
Author
There was a problem hiding this comment.
I used SpoolDir because...
- didn't want to auto-generate directories/files into
CfgDir(this would be next toetc/node.cfgor so) - broker stores end/ended up in
SpoolDir/storesand they already aren't transient. ${SpoolDir}/state.dbis also located there.- unless there's non-Zeekctl managed processes connecting: A re-deploy after deleting the keys will re-generate and re-distribute them to all cluster nodes, so they could be seen as somewhat transient.
I'll keep it there. The CfgDir seems less fitting (but certainly debatable and I see the point).
…e clusters
This change introduces two new options for the ZeroMQ cluster backend:
cluster_backend_zeromq.use_curve_encryption = auto|0|1
cluster_backend_zeromq.curve_dir = ${SpoolDir}/zeromq/curve
The directory is used to persistently store the generated keys. Keys are
generated by invoking Zeek and calling the ZeroMQ specific BiF
generate_keypair(). To pre-provision keys, it's possible to populate
the directory before invoking zeekctl.
By default, when a multi-node cluster is detected, encryption and key
generation is implicitly enabled. Setting use_curve_encryption to "0" or "1"
allows for explicit configuration. The default is "auto".
The keys are rendered verbatim into zeekctl-config.zeek. The assumption
here is that if anyone manages to get access to the zeekctl-config.zeek
file, they'll likely have a way to get to the keys in a different way
already.
awelzel
force-pushed
the
topic/awelzel/4432-zeromq-encryption
branch
from
fdbc469 to
bf1f8c5
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change introduces two new options for the ZeroMQ cluster backend:
The directory is used to persistently store the generated keys. Keys are generated by invoking Zeek and calling the ZeroMQ specific BiF generate_keypair(). To pre-provision keys, it's possible to populate the directory before invoking zeekctl.
By default, when a multi-node cluster is detected, encryption and key generation is implicitly enabled. Setting use_curve_encryption to "0" or "1" allows for explicit configuration. The default is "auto".
The keys are rendered verbatim into zeekctl-config.zeek. The assumption here is that if anyone manages to get access to the zeekctl-config.zeek file, they'll likely have a way to get to the keys in a different way already.