Docker is powerful, but exposing it incorrectly can be dangerous. Let’s secure your Docker daemon and set up remote access safely.
Step 1: Use TLS (HTTPS) for Docker Socket#
To protect Docker, always use TLS certificates when accessing the daemon remotely. This ensures your data and commands are encrypted.
- Create certificates for the server and clients. Offical Documentation
# 1️⃣ Become root
sudo su
# 2️⃣ Create cert directory
mkdir -p /etc/docker/certs && cd $_
# 3️⃣ Create CA (10 years)
openssl genrsa -out ca-key.pem 4096
openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem
# 4️⃣ Create Server Key + CSR
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=<DNS_NAME>" -sha256 -new -key server-key.pem -out server.csr
# 5️⃣ Add SAN (DNS + IP)
echo subjectAltName = DNS:<DNS_NAME>,IP:<IP_ADDRESS>,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
# 6️⃣ Sign Server Certificate
openssl x509 -req -days 3650 -sha256 \
-in server.csr \
-CA ca.pem -CAkey ca-key.pem -CAcreateserial \
-out server-cert.pem \
-extfile extfile.cnf
# 7️⃣ Create Client Certificate
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile-client.cnf
openssl x509 -req -days 3650 -sha256 \
-in client.csr \
-CA ca.pem -CAkey ca-key.pem -CAcreateserial \
-out cert.pem \
-extfile extfile-client.cnf
# 8️⃣ Cleanup + Secure Permissions
rm -v client.csr server.csr extfile.cnf extfile-client.cnf
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem- Configure remote access for Docker daemon: Offical Documentation
# 1️⃣ Check Docker service status
sudo systemctl status docker
# 2️⃣ Inspect current Docker service file
vim /usr/lib/systemd/system/docker.service
# Look for this line under [Service]
# ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
# 3️⃣ Create systemd override directory
sudo mkdir -p /etc/systemd/system/docker.service.d
# 4️⃣ Create override configuration
sudo vim /etc/systemd/system/docker.service.d/override.conf
# Add the following:
# -------------------
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://<IP_ADDRESS>:2376 --tlsverify --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem --tlskey=/etc/docker/certs/server-key.pem
# -------------------
# 5️⃣ Reload systemd to apply changes
sudo systemctl daemon-reload
# 6️⃣ Restart Docker service
sudo systemctl restart docker.service
# 7️⃣ Verify Docker is running with new config
sudo systemctl status docker
# 8️⃣ Verify Ports opening
sudo netstat -lntp
sudo ss -lntp
docker -H tcp://<IP_ADDRESS>:2376 version
# 9️⃣ Start Docker Daemon with TLS (Port 2376)
dockerd \
--tlsverify \
--tlscacert=ca.pem \
--tlscert=server-cert.pem \
--tlskey=server-key.pem \
-H=0.0.0.0:2376
# 🔟 Connect from Client
docker --tlsverify \
--tlscacert=ca.pem \
--tlscert=cert.pem \
--tlskey=key.pem \
-H=<DNS_NAME>:2376 version- Optional Security Tips
- Limit access to only trusted users.
- Use a firewall to restrict Docker API port (default 2376).
- Regularly update Docker to get security patches.
Securing your Docker daemon keeps your system safe and reliable. Always use TLS for remote access and never expose Docker without protection.
