You may want to manually seal the Secret Store to protect its contents from an intruder.
Sealed Secret Stores cannot be accessed from the web interface. Secret values cannot be retrieved using the Secrets API. Services that depend on values in the Secret Store may fail to deploy.
To seal the Secret Store, complete the following steps.
You must have the DC/OS CLI installed and be logged in as a superuser via
dcos auth login.
If your security mode is
strict, you must follow the steps in Obtaining and passing the DC/OS certificate in curl requests before issuing the curl commands in this section. If your security mode is
disabled, you must delete
--cacert dcos-ca.crtfrom the commands before issuing them.
Use the following command to seal the Secret Store.
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/secrets/v1/seal/default
Confirm that the Secret Store was sealed with this command.
curl --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/secrets/v1/seal-status/default
It should return the following JSON.