Home Explore Blog CI



docker
1st chunk of `content/manuals/engine/swarm/swarm_manager_locking.md`
1681669be285aa5271d8b85b9a4d2dc6419a25e05bc308c50000000100000b02
---
description: Automatically lock Swarm managers to protect encryption keys
keywords: swarm, manager, lock, unlock, autolock, encryption
title: Lock your swarm to protect its encryption key
---

The Raft logs used by swarm managers are encrypted on disk by default. This at-rest
encryption protects your service's configuration and data from attackers who gain
access to the encrypted Raft logs. One of the reasons this feature was introduced
was in support of the [Docker secrets](secrets.md) feature.

When Docker restarts, both the TLS key used to encrypt communication among swarm
nodes and the key used to encrypt and decrypt Raft logs on disk are loaded
into each manager node's memory. Docker has the ability to protect the mutual TLS
encryption key and the key used to encrypt and decrypt Raft logs at rest, by
allowing you to take ownership of these keys and to require manual unlocking of
your managers. This feature is called autolock.

When Docker restarts, you must
[unlock the swarm](#unlock-a-swarm) first, using a
key encryption key generated by Docker when the swarm was locked. You can
rotate this key encryption key at any time.

> [!NOTE]
>
> You don't need to unlock the swarm when a new node joins the swarm,
> because the key is propagated to it over mutual TLS.

## Initialize a swarm with autolocking enabled

When you initialize a new swarm, you can use the `--autolock` flag to
enable autolocking of swarm manager nodes when Docker restarts.

```console
$ docker swarm init --autolock

Swarm initialized: current node (k1q27tfyx9rncpixhk69sa61v) is now a manager.

To add a worker to this swarm, run the following command:

    docker swarm join \
    --token SWMTKN-1-0j52ln6hxjpxk2wgk917abcnxywj3xed0y8vi1e5m9t3uttrtu-7bnxvvlz2mrcpfonjuztmtts9 \
    172.31.46.109:2377

To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.

To unlock a swarm manager after it restarts, run the `docker swarm unlock`
command and provide the following key:

    SWMKEY-1-WuYH/IX284+lRcXuoVf38viIDK3HJEKY13MIHX+tTt8
```

Store the key in a safe place, such as in a password manager.

When Docker restarts, you need to [unlock the swarm](#unlock-a-swarm). A locked
swarm causes an error like the following when you try to start or restart a
service:

```console
$ sudo service docker restart

$ docker service ls

Error response from daemon: Swarm is encrypted and needs to be unlocked before it can be used. Use "docker swarm unlock" to unlock it.
```

## Enable or disable autolock on an existing swarm

To enable autolock on an existing swarm, set the `autolock` flag to `true`.

```console
$ docker swarm update --autolock=true

Swarm updated.
To unlock a swarm manager after it restarts, run the `docker swarm unlock`
command and provide the following key:
Title: Locking Your Swarm for Enhanced Encryption Key Protection
Summary
By default, Swarm manager Raft logs are encrypted on disk. This protects service configurations from attackers. Autolock allows you to take ownership of TLS keys and Raft logs keys by requiring manual unlocking of managers. When enabled, you must unlock the swarm after Docker restarts using a key encryption key. The article covers initializing a swarm with autolock and enabling/disabling it on an existing swarm.