Docker swarm: overlay network encryption and MTLS

To encrypt application data, add --opt encrypted when creating the overlay network. This enables IPSEC encryption at the level of the vxlan. This encryption imposes a non-negligible performance penalty, so you should test this option before using it in production.

When you enable overlay encryption, Docker creates IPSEC tunnels between all the nodes where tasks are scheduled for services attached to the overlay network. These tunnels use the AES algorithm and manager nodes automatically rotate the keys every 12 hours.

Example creating an encrypted overlay network

$ docker network create --opt encrypted --driver overlay enc-network

MTLS: Mutual TLS

The nodes in a swarm use Mutual TLS to authenticate, authorize and encrypt the node level communications of a swarm, using mutual TLS means that all hosts communicate to other swarm nodes using a certificate.

When you create a swarm from a host, Docker designates itself as a manager node. The manager node generates a new root certificate authority (CA) and a pair of keys (public, private) which are used to secure communications with other nodes that join the swarm.

The manager node also generates two tokens to use when you adding nodes to the swarm, a worker token and a manager token. The tokens contain a digest of the root CA certificate and a randomly generated secret, this way the manager knows that the request for a node to join the swam is legit and also ensures that joins the swarm to the approved node. When a node joins the swarm the manager issues a certificate to the node, this certificate contains a generated node ID to identify the node under the CN (Common Name) of the certificate and the role under the OU (organizational unit).