Why swarm-node.key has two keys
Following this article, I understand that this file is holding the private key which is being used to encrypt the Raft logs and ensure the secure TLS communication between the nodes.
This is the file: /var/lib/docker/swarm/certificates/swarm-node.key
Looking inside its content:
It appears that it has two parts.
The first 1 (marked with green) is the raft-dek.
According to this article:
On manager hosts secrets are always encrypted at rest. By default, the key that encrypts these secrets (known as the Data Encryption Key, DEK) is also stored in plaintext on disk.
What is the second key ? Is it the key that responsible to encrypt the Raft logs ?
Does, this file contains two keys:
- Encrypt secrets
- Encrypt the the data to the Raft
?
There are two kinds of data that needs to be encrypted:
- The general traffic data between nodes.
- Sensitive secrets.
The traffic data between nodes is encrypted by TLS. The swarm uses MTLS to protect communications between nodes.
The sensitive secrets are encrypted by the DEK.
This swarm-node.key file contains only one private key, which is the key used in TLS. This file is constructed with two parts: the header part and the body part. The body part carries the actual private key. And the header part can carry extra information. In this case, the DEK resides in the header part.
// the raft DEK (data encryption key) is stored in the TLS key as a header
// these are the header values
pemHeaderRaftDEK = "raft-dek"
...
- ERROR [build 6/6] RUN dotnet publish "" -c Release -o /app/publish
- ElementNotInteractableException: element not interactable: element has zero size appears since upgrade to chromedriver 83
- Ports are not available: listen tcp 0.0.0.0/50070: bind: An attempt was made to access a socket in a way forbidden by its access permissions
- Running NiFi 2.0 using HTTP
- Docker Compose - How to execute multiple commands?
- Docker with Vite - env variables are undefined inside the docker container
- How to use host network for docker compose?
- Vulkan is unable to detect Nvidia GPU from within a docker container when using the Nvidia Container Toolkit
- Docker nodemon doesn't hot reload even though the volumes has been set up
- docker compose override a ports property instead of merging it
- Pushing image to Artifact Registry returning 403 Forbidden Error
- Difference between RUN cd and WORKDIR in Dockerfile
- Operation not permitted on gitlab-runner
- Unable to connect to port 53589 on EC2 instance using Docker and Caddy server
- Nuget Bind mounts in Dockerfile
- How to force SQL Server container to immediately update MDF file in Docker volume?
- WSL Failed to Initialize on Windows 11
- Unable to run docker image, Error: Cannot find module '/app/yarn dev'
- Running a local kibana in a container
- How do I run a command on an already existing Docker container?
- Docker desktop Mac is not opening
- How to use Nginx (deployed with Docker) reverse proxy Gitlab (deployed with Docker too)
- docker-compose up gives 'failed to read dockerfile: error from sender'
- Can't build Docker image with Postgresql
- Enable debugging of postgresql functions on database inside a docker container using pgAdmin
- GDB Error: Unable to Fetch SVE/SSVE Vector Length ("Invalid Argument") on Docker - Ubuntu - Apple M4
- Docker runs PostgreSQL in "trust" mode
- Start up script fails with error "-e: invalid option", what is missing?
- At least one invalid signature was encountered
- How to combine a Nginx and a NodeJS Docker container