Docker Image Signing

In this guide, we will explore Docker image signing and describe the key concepts and benefits. We will delve into the integration with Securosys products and explain why their integration into any Docker security ecosystem is critical.

In the ever-evolving landscape of containerization and cloud-native technologies, Docker has emerged as a cornerstone, revolutionizing how applications are developed, deployed, and managed. However, as the adoption of Docker containers continues to skyrocket, so too does the need for robust security measures. Docker image signing has emerged as an essential component, ensuring the integrity and confidentiality of containerized applications.

Where there's signing, there's a key. The question of how that key is handled, managed, and distributed becomes paramount.

Securosys Hardware Security Modules (HSM) are not only optimized for the physical protection of private key material like most general-purpose HSMs. In addition, Securosys Primus HSMs provide access control of the keys usage with specific and sophisticated authorizations, which is essential for signing Docker images.

Requirements of modern digital identity applications go beyond the traditional HSM capabilities. In many cases, organizational policies require multiple approvals before a signature is finally authorized. General-purpose HSMs typically don't allow for such workflows. With Securosys Smart Key Attributes (SKA), it is possible to define rules such as quorums and time-restrictions for each key individually, thus meeting even the most complex organization policies. The policies are enforced within the same secure boundaries that protects the key itself.

Securosys Transaction Security Broker (TSB) makes the implementation of SKAs much easier thanks to its REST API and internal approval orchestration. The TSB runs as a standalone engine, connects to an external database instance, and integrates the SKA-enabled HSM. It is not critical for security, since all security relevant operations are carried out inside the HSM.

This guide explains how to integrate Docker image signing using Notation (aka Notary v2) with keys protected in an HSM, both on-premise and in the cloud.

How it works

Notation is a command line tool for signing and verifying container images. The signatures help ensure that the images are authentic and haven't been tampered with.

Securosys provides a plugin for Notation. This plugin teaches Notation how to communicate with a Securosys HSM over the REST API, so that Notation uses an HSM-backed key to sign and verify container images. This can be combined with SKA keys for protecting the signing keys with strong authorization.

For more details, see the Signing Docker Image Scenarios.

Target Audience

This document is intended for Securosys Primus HSM or CloudHSM administrators and DevOps professionals. You should already be familiar with using Docker Engine, Docker Compose, as well as Notation.

For on-premise HSMs, administrative skills are required for running the HSM and the TSB.

What's Next

• Read the quickstart Guide
• Follow the installation guide