Quickstart with Docker Encryption
This quickstart guide provides a brief overview of the steps to download, setup and use the Securosys Docker Image Encryption plugin.
-
Download and install Skopeo.
- Linux
- MacOS
sudo apt-get -y updatesudo apt-get -y install skopeobrew install skopeo -
Download the Securosys Docker Image Encryption Plugin files and unzip them.
-
Create an encryption key on the HSM (unless you already have a key):
curl 'https://<TSB_APIendpoint>/v1/key' \-H 'Authorization: Bearer <bearer_token>'\--json '{"label": "SecurosysEncKey01","algorithm": "RSA","keySize": 2048,"attributes": {"encrypt": true,"decrypt": true}} ' -
Copy the plugin binary
skopeo-securosysand theocicrypt.confto${HOME}/Securosys/skopeo. Adapt the parameters inocicrypt.confaccording to your environment:{"key-providers": {"securosys_encryption": {"cmd": {"path": "/<pathToExecutable>/Skopeo-securosys","args": ["-cipher-algorithm <yourCipherAlgorithm>","-tsb-api-endpoint <TSB_APIendpoint>","-auth <TOKEN>","-token <yourToken>","-certpath <PathToCrt>","-keypath <PathToKey>","-keyOperationToken <TSB-TOKEN>","-publicKey <PUBLIC_KEY>","-privateKey <PRIVATE_KEY>"]}}}} -
Choose an image you want to encrypt. The image needs to be OCI-compliant. This can either be an image that you have built locally, or an image that you have pulled from a remote image registry. For example, take the Alpine Linux image from docker.io and copy it locally:
skopeo copy docker://docker.io/amd64/alpine:latest oci:alpine -
Encrypt the image:
[KEY_PASSWORD=password] OCICRYPT_KEYPROVIDER_CONFIG=<pathToConfig>/ocicrypt.conf skopeo --override-os linux copy --encryption-key provider:skopeo-securosys:<keyLabel> oci:alpine oci:apline-encrypted -
Decrypt the image:
[KEY_PASSWORD=<password>] OCICRYPT_KEYPROVIDER_CONFIG=/<pathToConfig>/ocicrypt.conf skopeo --override-os linux copy --decryption-key provider:skopeo-securosys:<keyLabel> oci:alpine-encrypted oci:alpine-decrypted