Docker Swarm Unlock Key
Service Name: Docker Swarm
Service Description: Docker Swarm is Docker's native clustering and orchestration solution that turns a group of Docker hosts into a single virtual host. It allows you to deploy and manage a cluster of Docker nodes as a single system.
Service Address: https://docs.docker.com/engine/swarm/
Validation Type: Unavailable
IP Allow list: IP restrictions can be implemented at the Docker daemon level using TLS certificates and firewall rules, but not specifically for unlock keys.
Secret Access Scope: Grants ability to unlock an encrypted Docker Swarm manager after it restarts. Without this key, the Swarm cannot be recovered after a restart if autolock is enabled.
Secret Revokement URL: https://docs.docker.com/engine/swarm/swarm_manager_locking/#rotate-the-unlock-key
Secret Example: SWMKEY-1-7c37Cc8654o9Mm+GXSjBfUnPYdm4fUmlVl9LoHUYy+I
Suspicious Activity Investigation Instructions:
- Check Docker Swarm manager logs for unauthorized unlock attempts
- Review system logs for unexpected Docker Swarm restarts
- Monitor network traffic to Docker Swarm manager nodes
- Verify if any unauthorized nodes have joined the swarm
- Check for unexpected changes to swarm configurations or services
Mitigation Instructions:
-
Immediately rotate the unlock key using docker swarm unlock-key --rotate
-
Verify all manager nodes in the swarm are secure and running expected
versions
- Update firewall rules to restrict access to Docker Swarm API endpoints
- Enable TLS authentication for Docker daemon communications
- Consider implementing additional network segmentation for swarm traffic
- Audit all nodes in the swarm to ensure they are legitimate
- Review and update Docker daemon security configurations