2.23 Run swarm manager in auto-lock mode

Information

Run Docker swarm manager in auto-lock mode.

Rationale:

When Docker restarts, both the TLS key used to encrypt communication among swarm nodes, and the key used to encrypt and decrypt Raft logs on disk, are loaded into each manager node's memory. You should protect the mutual TLS encryption key and the key used to encrypt and decrypt Raft logs at rest. This protection could be enabled by initializing swarm with --autolock flag.



With --autolock enabled, when Docker restarts, you must unlock the swarm first, using a key encryption key generated by Docker when the swarm was initialized.

Solution

If you are initializing swarm, use the below command.

docker swarm init --autolock



If you want to set --autolock on an existing swarm manager node, use the below command.

docker swarm update --autolock


Impact:

A swarm in auto-lock mode won't recover from a re-start without manual intervention from a user to enter the unlock key. In some deployments, this might not be good for availability.

Default Value:

By default, swarm manager does not run in auto-lock mode.

See Also

https://workbench.cisecurity.org/files/1476

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13

Plugin: Unix

Control ID: dbc14b25313837315c0f5ffde724434310a5665d6c19caa30e8589256026f7d0