Encryption at rest

  • Swarm data is always encrypted

  • A Swarm cluster can be "locked"

  • When a cluster is "locked", the encryption key is protected with a passphrase

  • Starting or restarting a locked manager requires the passphrase

  • This protects against:

    • theft (stealing a physical machine, a disk, a backup tape...)

    • unauthorized access (to e.g. a remote or virtual volume)

    • some vulnerabilities (like path traversal)

Locking a Swarm cluster

  • This is achieved through the docker swarm update command
  • Lock our cluster:
    docker swarm update --autolock=true

This will display the unlock key. Copy-paste it somewhere safe.

Locked state

  • If we restart a manager, it will now be locked
  • Restart the local Engine:
    sudo systemctl restart docker

Note: if you are doing the workshop on your own, using nodes that you provisioned yourself or with Play-With-Docker, you might have to use a different method to restart the Engine.

Checking that our node is locked

  • Manager commands (requiring access to crypted data) will fail

  • Other commands are OK

  • Try a few basic commands:
    docker ps
docker run alpine echo ♥
docker node ls

(The last command should fail, and it will tell you how to unlock this node.)

Checking node state in scripts

  • The state of the node shows up in the output of docker info

  • Check the output of docker info:

    docker info

  • Can't see it? Too verbose? Grep to the rescue!

    docker info | grep ^Swarm

Unlocking a node

  • You will need the secret token that we obtained when enabling auto-lock earlier

  • Unlock the node:

    docker swarm unlock

  • Copy-paste the secret token that we got earlier

  • Check that manager commands now work correctly:

    docker node ls

Managing the secret key

  • If the key is compromised, you can change it and re-encrypt with a new key:

    docker swarm unlock-key --rotate

  • If you lost the key, you can get it as long as you have at least one unlocked node:

    docker swarm unlock-key -q

Note: if you rotate the key while some nodes are locked, without saving the previous key, those nodes won't be able to rejoin.

Note: if somebody steals both your disks and your key, .strike[you're doomed! Doooooomed!]
you can block the compromised node with docker node demote and docker node rm.

Unlocking the cluster permanently

  • If you want to remove the secret key, disable auto-lock
  • Permanently unlock the cluster:
    docker swarm update --autolock=false

Note: if some nodes are in locked state at that moment (or if they are offline/restarting while you disabled autolock), they still need the previous unlock key to get back online.

For more information about locking, you can check the upcoming documentation.