Docker: lock and unlock swarm cluster

Konstantinos Patronas

Jan 5·2 min read

Configuration data used by swarm managers are encrypted by default. When docker restarts both the TLS key used to encrypt communication among swarm nodes and the key used to encrypt and decrypt configuration data are loaded on each nodes memory, docker can protect both keys by encrypting those keys requiring manual unlocking of your managers providing an unlock key . This feature is called autolock.

When autolock is enabled Docker requires to unlock the swarm first using an encryption key generated by Docker when the swarm was locked.

Note: all commands executed from a swarm manager.

Enable autolock

To enable autolock enter the following command on a swarm manager.

$ docker swarm update --autolock=true

Docker will generate a key, you need to store this key to a safe place, like a password manager.

Swarm updated.
To unlock a swarm manager after it restarts, run the `docker swarm unlock`
command and provide the following key:

    SWMKEY-1-+MrE8NgAyKj5r3NcR4FiQMdgu+7W72urH0EZeSmP/0Y

Please remember to store this key in a password manager, since without it you
will not be able to restart the manager.

Test autolock

Restart docker and enter a command to interact with the swarm.

$ systemctl restart docker
$ docker node ls

If autolock configured properly you should receive the following message.

Error response from daemon: Swarm is encrypted and needs to be unlocked before it can be used. Use "docker swarm unlock" to unlock it.

Unlock the swarm

To unlock the swarm enter the following, docker will ask you for the key generated when you enabled the autolock feature.

$ docker swarm unlock
Please enter unlock key:

To verify that unlock enter a command

$ docker node ls

It should return the nodes of the swarm and not ask for the unlock key.

How to obtain the current key

In case you need to view the key of an unlocked swarm you can enter:

$ docker swarm unlock-key

How to rotate autolock key

If you need to change the autolock key you can enter:

$ docker swarm unlock-key --rotateSuccessfully rotated manager unlock key.

To unlock a swarm manager after it restarts, run the `docker swarm unlock`
command and provide the following key:

    SWMKEY-1-8jDgbUNlJtUe5P/lcr9IXGVxqZpZUXPzd+qzcGp4ZYA

Please remember to store this key in a password manager, since without it you
will not be able to restart the manager.

How to disable autolock

To disable autolock enter:

$ docker swarm update --autolock=false
$ sudo systemctl restart docker
$ docker node ls