Swarm manager is run in auto-lock mode

docker

Classification:

compliance

Framework:

cis-docker

Control:

7.6

Set up the docker integration.

Description

You should review whether you wish to run Docker swarm manager in auto-lock mode.

Rationale

When Docker restarts, both the TLS key used to encrypt communication among swarm nodes, and the key used to encrypt and decrypt Raft logs on disk, are loaded into each manager node’s memory. You could protect the mutual TLS encryption key and the key used to encrypt and decrypt Raft logs at rest. This protection could be enabled by initializing the swarm with the --autolock flag. With --autolockenabled, when Docker restarts, you must unlock the swarm first, using a key encryption key generated by Docker when the swarm was initialized. This has benefits in a high security environment, however these should be balanced against the support issues caused by the swarm not starting automatically if, for example the host were to experience an outage.

Audit

Run the following command. If the output is true, auto-lock mode is enabled.

docker info --format 'Swarm Autolock: {{ .Swarm.Cluster.Spec.EncryptionConfig.AutoLockManagers }}'

Alternatively, run the command below. If a key value is returned, swarm was initialized with the --autolock flag. If the output is no unlock key is set, swarm was NOT initialized with the --autolock flag. This should be reviewed in line with the organization’s IT security policy.

docker swarm unlock-key

Remediation

If you are initializing a swarm, use the command below. docker swarm init --autolock If you want to set --autolock on an existing swarm manager node, use the following command. docker swarm update --autolock

Impact

A swarm in auto-lock mode will not recover from a restart without manual intervention from an administrator to enter the unlock key. This may not always be desirable, and should be reviewed at a policy level.

Default value

By default, the swarm manager does not run in auto-lock mode.

References

  1. https://docs.docker.com/engine/swarm/swarm_manager_locking/

CIS controls

Version 6

14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.

Version 7

14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.