Docker Image Signing

In this guide, we will explore the foundations of Docker image signing and describe the key concepts and benefits. We will delve into the integration with Securosys products and explain why their integration into any Docker security ecosystem is critical.

In the ever-evolving landscape of containerization and cloud-native technologies, Docker has emerged as a cornerstone, revolutionizing how applications are developed, deployed, and managed. However, as the adoption of Docker containers continues to skyrocket, so too does the need for robust security measures. Docker image signing has emerged as an essential component, ensuring the integrity and confidentiality of containerized applications.

Where there's signing, there's a key. The question of how that key is handled, managed, and distributed becomes paramount.

Securosys Hardware Security Modules (HSM) are not only optimized for the physical protection of private key material like most general-purpose HSMs. In addition, Securosys Primus HSMs provide access control of the keys usage with specific and sophisticated authorizations, which is essential for signing Docker images.

Requirements of modern digital identity applications go beyond the traditional HSM capabilities. In many cases, organizational policies require multiple approvals before a signature is finally authorized. General-purpose HSMs typically don't allow for such workflows. With Securosys Smart Key Attributes (SKA), it is possible to define rules such as quorums and time-restrictions for each key individually, thus meeting even the most complex organization policies. The policies are enforced within the same secure boundaries that protects the key itself.

Securosys Transaction Security Broker (TSB) makes the implementation of SKAs much easier thanks to its REST API and internal approval orchestration. The TSB runs as a standalone engine, connects to an external database instance, and integrates the SKA-enabled HSM. It is not critical for security, since all security relevant operations are carried out inside the HSM.

The Securosys plugin for Docker Signing communicates with the HSM via the REST API provided by the TSB.

This guide explains how to integrate Docker image signing using "Notation" (aka Notary v2 / Docker Content Trust notary v2) with keys protected in an HSM, both on-premise and in the cloud.

Target Audience

This document is intended for Securosys Primus HSM or CloudHSM administrators and DevOps professionals. You should already be familiar with using Docker Engine, Docker Compose, as well as Notation.

For on-premise HSMs, administrative skills are required for running the HSM and the TSB.

Getting started with Docker Image Signing and HSMs

• Read the QuickStart Guide
• Request Samples (Rest-API) Samples
• Read the Prerequisites
• Read the official Deployment Guide