Quickstart with Docker Encryption
This quickstart guide provides a brief overview of the steps to download, setup and use the Securosys Docker Image Encryption plugin.
-
Download and install Skopeo.
- Linux
- MacOS
sudo apt-get -y update
sudo apt-get -y install skopeobrew install skopeo -
Download the Securosys Docker Image Encryption Plugin files and unzip them.
-
Create an encryption key on the HSM (unless you already have a key):
curl -X 'POST' \
'<TSB_APIendpoint>/v1/key' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <bearer_token>'\
-H 'Content-Type: application/json' \
-d '{
"label": "SecurosysEncKey01",
"algorithm": "RSA",
"keySize": 2048,
"attributes": {
"encrypt": true,
"decrypt": true
}
} ' -
Copy the plugin binary
skopeo-securosysand theocicrypt.confto${HOME}/Securosys/skopeo. Adapt the parameters inocicrypt.confaccording to your environment:{
"key-providers": {
"securosys_encryption": {
"cmd": {
"path": "/<pathToExecutable>/Skopeo-securosys",
"args": [
"-cipher-algorithm <yourCipherAlgorithm>",
"-tsb-api-endpoint <TSB_APIendpoint>",
"-auth <TOKEN>",
"-token <yourToken>",
"-certpath <PathToCrt>",
"-keypath <PathToKey>",
"-keyOperationToken <TSB-TOKEN>",
"-publicKey <PUBLIC_KEY>",
"-privateKey <PRIVATE_KEY>"
]
}
}
}
} -
Choose an image you want to encrypt. The image needs to be OCI-compliant. This can either be an image that you have built locally, or an image that you have pulled from a remote image registry. For example, take the Alpine Linux image from docker.io and copy it locally:
skopeo copy docker://docker.io/amd64/alpine:latest oci:alpine -
Encrypt the image:
[KEY_PASSWORD=password] OCICRYPT_KEYPROVIDER_CONFIG=<pathToConfig>/ocicrypt.conf skopeo --override-os linux copy --encryption-key provider:skopeo-securosys:<keyLabel> oci:alpine oci:apline-encrypted -
Decrypt the image:
[KEY_PASSWORD=<password>] OCICRYPT_KEYPROVIDER_CONFIG=/<pathToConfig>/ocicrypt.conf skopeo --override-os linux copy --decryption-key provider:skopeo-securosys:<keyLabel> oci:alpine-encrypted oci:alpine-decrypted