✦ For everyone, free.

Practical knowledge for real and everyday life

Home

11.3.2.1 Daemon TLS Protection

A focused guide to Daemon TLS Protection, connecting core concepts with practical Docker and container operations.

Daemon TLS protection encrypts and authenticates connections to a remotely accessible Docker daemon, ensuring that only clients presenting a valid, trusted certificate can issue commands, the essential safeguard for any Docker daemon configured to accept network connections.

Generating the Necessary Certificates

Properly configured TLS protection requires a certificate authority, a server certificate for the daemon, and client certificates for each authorized client.

openssl genrsa -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -out ca.pem

This establishes a certificate authority that will subsequently sign both the server's and clients' certificates, establishing a chain of trust between them.

Configuring the Daemon to Require Client Certificates

The daemon is configured to use its own server certificate and to require and verify a valid client certificate before accepting any command.

dockerd --tlsverify \
  --tlscacert=ca.pem \
  --tlscert=server-cert.pem \
  --tlskey=server-key.pem \
  -H=0.0.0.0:2376

The --tlsverify flag specifically ensures the daemon rejects any connection that doesn't present a certificate signed by the trusted CA.

Configuring a Client to Connect Using Its Certificate

A client connecting to this protected daemon must present its own valid, CA-signed certificate.

docker --tlsverify \
  --tlscacert=ca.pem \
  --tlscert=client-cert.pem \
  --tlskey=client-key.pem \
  -H=remote-host:2376 ps
Why Certificate-Based Authentication Is Preferable to a Simple Password

Certificate-based authentication provides stronger, more specifically scoped authentication than a simple shared password would, including the ability to revoke a specific client's access individually without affecting others.

openssl ca -revoke client-cert.pem
Why Daemon TLS Protection Matters

Properly configured TLS, including both encryption and client certificate verification, is the essential, non-optional safeguard for any Docker daemon exposed over the network, without which that daemon's severe, root-equivalent access would be available to anyone capable of reaching it at the network level.

Related content