Swarm manager auto-lock key is rotated periodically

docker

Classification:

compliance

Framework:

cis-docker

Control:

7.7

Set up the docker integration.

Description

You should rotate the swarm manager auto-lock key periodically.

Rationale

The swarm manager auto-lock key is not automatically rotated. Good security practice is to rotate keys.

Audit

There is no mechanism to find out when the key was last rotated on a swarm manager node. Check with the system administrator to see if there is a key rotation process, and how often the key is rotated.

Remediation

Run the command below to rotate the keys. For example, docker swarm unlock-key --rotate

Additionally, to facilitate auditing of this recommendation, you should maintain key rotation records and ensure that you establish a pre-defined frequency for key rotation.

Impact

None

Default value

By default, keys are not rotated automatically.

References

  1. https://docs.docker.com/engine/reference/commandline/swarm_unlock-key/

CIS controls

Version 6

14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.

Version 7

14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.