Encryption at rest
Swarm data is always encrypted
A Swarm cluster can be "locked"
When a cluster is "locked", the encryption key is protected with a passphrase
Starting or restarting a locked manager requires the passphrase
This protects against:
theft (stealing a physical machine, a disk, a backup tape...)
unauthorized access (to e.g. a remote or virtual volume)
some vulnerabilities (like path traversal)
Locking a Swarm cluster
- This is achieved through the
docker swarm update
command
- Lock our cluster:
docker swarm update --autolock=true
This will display the unlock key. Copy-paste it somewhere safe.
Locked state
- If we restart a manager, it will now be locked
- Restart the local Engine:
sudo systemctl restart docker
Note: if you are doing the workshop on your own, using nodes that you provisioned yourself or with Play-With-Docker, you might have to use a different method to restart the Engine.
Checking that our node is locked
Manager commands (requiring access to crypted data) will fail
Other commands are OK
- Try a few basic commands:
docker ps docker run alpine echo ♥ docker node ls
(The last command should fail, and it will tell you how to unlock this node.)
Checking node state in scripts
- The state of the node shows up in the output of
docker info
Check the output of
docker info
:docker info
Can't see it? Too verbose? Grep to the rescue!
docker info | grep ^Swarm
Unlocking a node
- You will need the secret token that we obtained when enabling auto-lock earlier
Unlock the node:
docker swarm unlock
Copy-paste the secret token that we got earlier
Check that manager commands now work correctly:
docker node ls
Managing the secret key
If the key is compromised, you can change it and re-encrypt with a new key:
docker swarm unlock-key --rotate
If you lost the key, you can get it as long as you have at least one unlocked node:
docker swarm unlock-key -q
Note: if you rotate the key while some nodes are locked, without saving the previous key, those nodes won't be able to rejoin.
Note: if somebody steals both your disks and your key, .strike[you're doomed! Doooooomed!]
you can block the compromised node with docker node demote
and docker node rm
.
Unlocking the cluster permanently
- If you want to remove the secret key, disable auto-lock
- Permanently unlock the cluster:
docker swarm update --autolock=false
Note: if some nodes are in locked state at that moment (or if they are offline/restarting while you disabled autolock), they still need the previous unlock key to get back online.
For more information about locking, you can check the upcoming documentation.