Skip to content

Docker Swarm Unlock Key

Service Name: Docker Swarm

Service Description: Docker Swarm is Docker's native clustering and orchestration solution that turns a group of Docker hosts into a single virtual host. It allows you to deploy and manage a cluster of Docker nodes as a single system.

Service Address: https://docs.docker.com/engine/swarm/

Validation Type: Unavailable

IP Allow list: IP restrictions can be implemented at the Docker daemon level using TLS certificates and firewall rules, but not specifically for unlock keys.

Secret Access Scope: Grants ability to unlock an encrypted Docker Swarm manager after it restarts. Without this key, the Swarm cannot be recovered after a restart if autolock is enabled.

Secret Revokement URL: https://docs.docker.com/engine/swarm/swarm_manager_locking/#rotate-the-unlock-key

Secret Example: SWMKEY-1-7c37Cc8654o9Mm+GXSjBfUnPYdm4fUmlVl9LoHUYy+I

Suspicious Activity Investigation Instructions:

  • Check Docker Swarm manager logs for unauthorized unlock attempts
  • Review system logs for unexpected Docker Swarm restarts
  • Monitor network traffic to Docker Swarm manager nodes
  • Verify if any unauthorized nodes have joined the swarm
  • Check for unexpected changes to swarm configurations or services

Mitigation Instructions:

  • Immediately rotate the unlock key using docker swarm unlock-key --rotate

  • Verify all manager nodes in the swarm are secure and running expected

versions

  • Update firewall rules to restrict access to Docker Swarm API endpoints
  • Enable TLS authentication for Docker daemon communications
  • Consider implementing additional network segmentation for swarm traffic
  • Audit all nodes in the swarm to ensure they are legitimate
  • Review and update Docker daemon security configurations