// UnlockSwarm provides a key to decrypt data that is encrypted at rest. func (c *Cluster) UnlockSwarm(req types.UnlockRequest) error { key, err := encryption.ParseHumanReadableKey(req.UnlockKey) if err != nil { return err } c.Lock() if c.node != nil || c.locked != true { c.Unlock() return errors.New("swarm is not locked") } config := *c.lastNodeConfig config.lockKey = key n, err := c.startNewNode(config) if err != nil { c.Unlock() return err } c.Unlock() select { case <-n.Ready(): case <-n.done: if errors.Cause(c.err) == ErrSwarmLocked { return errors.New("swarm could not be unlocked: invalid key provided") } return fmt.Errorf("swarm component could not be started: %v", c.err) } go c.reconnectOnFailure(n) return nil }
// UnlockSwarm provides a key to decrypt data that is encrypted at rest. func (c *Cluster) UnlockSwarm(req types.UnlockRequest) error { c.controlMutex.Lock() defer c.controlMutex.Unlock() c.mu.RLock() state := c.currentNodeState() if !state.IsActiveManager() { // when manager is not active, // unless it is locked, otherwise return error. if err := c.errNoManager(state); err != errSwarmLocked { c.mu.RUnlock() return err } } else { // when manager is active, return an error of "not locked" c.mu.RUnlock() return errors.New("swarm is not locked") } // only when swarm is locked, code running reaches here nr := c.nr c.mu.RUnlock() key, err := encryption.ParseHumanReadableKey(req.UnlockKey) if err != nil { return err } config := nr.config config.lockKey = key if err := nr.Stop(); err != nil { return err } nr, err = c.newNodeRunner(config) if err != nil { return err } c.mu.Lock() c.nr = nr c.mu.Unlock() if err := <-nr.Ready(); err != nil { if errors.Cause(err) == errSwarmLocked { return errors.New("swarm could not be unlocked: invalid key provided") } return fmt.Errorf("swarm component could not be started: %v", err) } return nil }
func getKRW(swarmdir, unlockKey string) (*ca.KeyReadWriter, error) { var ( kek []byte err error ) if unlockKey != "" { kek, err = encryption.ParseHumanReadableKey(unlockKey) if err != nil { return nil, err } } krw := ca.NewKeyReadWriter(certPaths(swarmdir).Node, kek, manager.RaftDEKData{}) _, _, err = krw.Read() // loads all the key data into the KRW object if err != nil { return nil, err } return krw, nil }
// UnlockSwarm provides a key to decrypt data that is encrypted at rest. func (c *Cluster) UnlockSwarm(req types.UnlockRequest) error { c.controlMutex.Lock() defer c.controlMutex.Unlock() c.mu.RLock() state := c.currentNodeState() nr := c.nr c.mu.RUnlock() if nr == nil || errors.Cause(state.err) != errSwarmLocked { return errors.New("swarm is not locked") } key, err := encryption.ParseHumanReadableKey(req.UnlockKey) if err != nil { return err } config := nr.config config.lockKey = key if err := nr.Stop(); err != nil { return err } nr, err = c.newNodeRunner(config) if err != nil { return err } c.mu.Lock() c.nr = nr c.mu.Unlock() if err := <-nr.Ready(); err != nil { if errors.Cause(err) == errSwarmLocked { return errors.New("swarm could not be unlocked: invalid key provided") } return fmt.Errorf("swarm component could not be started: %v", err) } return nil }
if err != nil { return err } autolockManagers, err := cmd.Flags().GetBool("autolock") if err != nil { return err } var unlockKey []byte if cmd.Flags().Changed("unlock-key") { unlockKeyString, err := cmd.Flags().GetString("unlock-key") if err != nil { return err } unlockKey, err = encryption.ParseHumanReadableKey(unlockKeyString) if err != nil { return err } } // Create a cancellable context for our GRPC call ctx, cancel := context.WithCancel(ctx) defer cancel() client, err := engineapi.NewClient(engineAddr, "", nil, nil) if err != nil { return err } executor := container.NewExecutor(client)