Guilherme Ferreira
Security is always a ground zero and with Docker, it is not different.
By locking your Docker Swarm Cluster, you are on the control of the keys that Docker uses to encrypt the Raft logs on disk and the TLS communication among your nodes.
How to lock a Docker Swarm Cluster?
You can either lock a new or an already running cluster.
For greenfield clusters, the following command is all that you need.
docker swarm init –autolock
For already deployed clusters, the command is:
docker swarm update –autolock=true
Both commands will prompt a key that is needed to unlock the cluster after a daemon restart (or whatever failure), example:
SWMKEY-1-+8NgAyKj5r3NcR4Fdgu+7W72urHxAx0EZP/0X
Keep this key noted somewhere secure, like in a password manager. When rotating your keys ( – shown at the end of this article), it’s recommended to keep the previous key for a while, in case of failure from the manager node while rotation.
How to unlock a Docker Swarm Cluster?
If your Docker daemon crashed, got restart or for whatever reason your server needed to be restarted or even replaced, the command to unlock your Docker Swarm is simple as:
docker swarm unlock
This command will ask you to provide the unlock generated key. This key is the same one displayed with the lock commands showed previously.
Disabling the locking protection
You may have your own good reasons to keep your cluster without this lock protection. For that, you must run:
docker swarm update –autolock=false
Rotating the keys
As with any other password, the good practices say that you should rotate it periodically and the command is:
docker swarm unlock-key –rotate
Again, it will prompt a new key that must be kept save somewhere secure plus always remember to maintain the old key for a while, until you are sure that all the Docker Swarm Manager nodes rotated their keys!
Display the current unlock key
Finally, we still have a chance to see the current unlock key, from a Manager Node, running the command:
docker swarm unlock-key
