Skip to main content



In this guide, we will explore the foundations of Docker image encryption and describe the key concepts and benefits. We will delve into the integration with Securosys products and explain why their integration into any Docker security ecosystem is critical.

In the ever-evolving landscape of containerization and cloud-native technologies, Docker has emerged as a cornerstone, revolutionizing how applications are developed, deployed, and managed. However, as the adoption of Docker containers continues to skyrocket, so too does the need for robust security measures. Docker image signing and encryption have emerged as essential components of this security posture, ensuring the integrity and confidentiality of containerized applications.

Where there’s signing or encryption, there’s a key. The question of how that key is handled, managed, and distributed becomes paramount.

Securosys Primus HSMs (Hardware Security Modules) are optimized for the physical protection of private key material and FIPS 140-2 Level 3 and Common Criteria certified.

Securosys plugins for Docker Image Signing and Encryption communicate by REST API trough Securosys Transaction Security Broker (TSB) with on-premises Primus HSM or Securosys CloudHSM – HSM as a Service.

This application note aims to provide guidance on the integration process of Docker image encryption using “Skopeo” and OCIcrypt with keys protected in the HSM with on-premises Primus HSM or Securosys CloudHSM.

Target Audience

This document is intended for Securosys Primus HSM or CloudHSM administrators and DevOps professionals. Running the Securosys Docker Encryption Plugin requires that you are already familiar with using Docker Engine, Docker Compose, as well as Skopeo.

For on-premises HSM deployed operation administrative skills are required for Securosys Transaction Security Broker (TSB) and Securosys Primus HSMs.

Support Contact

If you encounter a problem while installing/configuring the provider or integrating the HSM with the plugins, make sure that you have read the referenced documentation. If you cannot resolve the issue, please contact Securosys Customer Support. For specific requests regarding Securosys Docker Image Signing and Encryption plugins, the Securosys Support Portal is reachable under

What's Next

For a smooth start with the Docker Image Encryption plugin: