Skip to main content



In this guide, we will explore the foundations of Docker image signing and describe the key concepts and benefits. We will delve into the integration with Securosys products and explain why their integration into any Docker security ecosystem is critical.

In the ever-evolving landscape of containerization and cloud-native technologies, Docker has emerged as a cornerstone, revolutionizing how applications are developed, deployed, and managed. However, as the adoption of Docker containers continues to skyrocket, so too does the need for robust security measures. Docker image signing have emerged as essential components of this security posture, ensuring the integrity and confidentiality of containerized applications.

Where there's signing, there's a key. The question of how that key is handled, managed, and distributed becomes paramount.

Securosys Hardware Security Modules (HSM) are not only optimized for the physical protection of private key material like most general-purpose HSMs; In addition, Securosys Primus HSMs provide control of the keys usage with specific and sophisticated authorizations, which is essential for signing Docker images.

Requirements of modern digital identity applications go beyond the traditional HSM capabilities. In many cases, organizational policies require multiple approvals before a signature is finally authorized. General-purpose HSMs typically don't allow for such workflows. With Securosys Primus HSMs Smart Key Attributes (SKA), it is possible to define rules such as quorums and time-restrictions for each key individually, thus meeting even the most complex organization policies. The policies are enforced within the same secure boundaries that protects the key itself.

Securosys Transaction Security Broker (TSB) makes the implementation of SKAs much easier thanks to its REST API and internal approval orchestration. It runs as a standalone engine, connects to an external database instance, and integrates the SKA-enabled Securosys HSM - and is thus uncritical for security, since all security relevant operations are carried out inside the HSM.

Securosys plugin for Docker Signing communicate by REST API trough Securosys Transaction Security Broker (TSB) with on-premises Primus HSM or Securosys PrimusHSM - REST API - HSM as a Service and take optionally advantage of the multi-authorization workflow provided by SKA.

This application note aims to provide guidance on the integration process of Docker image signing using "Notation" (aka Notary v2 / Docker Content Trust notary v2) with keys protected in the HSM with on-premises Primus HSM or Securosys CloudHSM.

Target Audience

This document is intended for Securosys Primus HSM or CloudHSM administrators and DevOps professionals. Running the Securosys Plugins requires that you are already familiar with using Docker Engine, Docker Compose, as well as Notation.

For on-premises HSM deployed operation administrative skills are required for Securosys Transaction Security Broker (TSB) and Securosys Primus HSMs.

What's next?