Secrets management and encryption at rest

(New in Docker Engine 1.13)

• Secrets management = selectively and securely bring secrets to services

• Encryption at rest = protect against storage theft or prying

• Remember:

  • control plane is authenticated through mutual TLS, certs rotated every 90 days

  • control plane is encrypted with AES-GCM, keys rotated every 12 hours

  • data plane is not encrypted by default (for performance reasons),
    but we saw earlier how to enable that with a single flag