Docker Encryption
In this guide, we will explore Docker image encryption and describe the key concepts and benefits. We will delve into the integration with Securosys products and explain why their integration into any Docker security ecosystem is critical.
In the ever-evolving landscape of containerization and cloud-native technologies, Docker has emerged as a cornerstone, revolutionizing how applications are developed, deployed, and managed. However, as the adoption of Docker containers continues to skyrocket, so too does the need for robust security measures. Docker image signing and encryption have emerged as essential components of this security posture, ensuring the integrity and confidentiality of containerized applications.
Where there’s signing or encryption, there’s a key. The question of how that key is handled, managed, and distributed becomes paramount. Securosys Primus HSMs and CloudHSMs are optimized for the physical protection of private key material and FIPS 140-2 Level 3 and Common Criteria certified.
This guide explains how to encrypt Docker images with a Securosys HSM. This allows you to keep your Docker images secure, while also protecting your encryption keys.
How it works
Skopeo is a command line tool for working with container images and container registries. Skopeo can encrypt and decrypt container images using OCIcrypt.
Securosys provides a plugin for Skopeo. This plugin teaches Skopeo how to communicate with a Securosys HSM over the REST API, so that Skopeo uses an HSM-backed key to encrypt container images.
For a quick overview, see these Skopeo encryption examples.
Target Audience
This document is intended for Securosys Primus HSM or CloudHSM administrators and DevOps professionals. Running the Securosys Docker Encryption Plugin requires that you are already familiar with using Docker Engine, Docker Compose, as well as Skopeo.
For on-premises HSM deployed operation administrative skills are required for Securosys Transaction Security Broker (TSB) and Securosys Primus HSMs.
Support Contact
If you encounter a problem while installing/configuring the provider or integrating the HSM with the plugins, make sure that you have read the referenced documentation. If you cannot resolve the issue, please contact Securosys Customer Support. For specific requests regarding Securosys Docker Image Signing and Encryption plugins, the Securosys Support Portal is reachable under https://support.securosys.com.
What's Next
- Read the quickstart guide.
- For detailed instructions, follow the installation guide.
- Follow the Tutorials on Encrypting and Decrypting Docker Images.
- Delve into the Concepts section for additional background information.