Skip to main content

Getting Started with Docker Encryption

This quick start guide provides a comprehensive task listing to download, setup and use the Securosys Docker Image Encryption plugin. For more detailled detailled instructions consult the Installation and Tutorial section.

  1. Download and install Skopeo
sudo apt-get -y update
sudo apt-get -y install skopeo
  1. Download Securosys Docker Image Encryption Plugin files

    Follow the instructions provided in section Download.

  2. Unzip Securosys Docker Image Encryption Plugin binary

unzip securosys_docker-encryption-skopeo-plugin-executable-latest.zip
  1. Unzip Securosys Docker Image Encryption Plugin configuration file
unzip securosys_docker-encryption-skopeo-plugin-configuration-latest.zip
  1. Read the Securosys Docker Image Encryption Plugin Release Notes
less securosys_docker-encryption-skopeo-plugin-releasenotes-latest.md
  1. Create an encryption key on the HSM (unless a key has been generated before)
curl -X 'POST' \ 
'<TSB_APIendpoint>/v1/key' \
-H 'accept: application/json' \
-H 'Authorization: Bearer ergq0ejgadjlfkgjaldfjgaodf9gjad0f9hgadfhgadhfogiah…'\
-H 'Content-Type: application/json' \
-d '{
"label": "SecurosysEncKey01",
"algorithm": "RSA",
"keySize": 2048,
"attributes": {
"encrypt": true,
"decrypt": true,
"verify": false,
"sign": false,
"wrap": false,
"unwrap": false,
"derive": false,
"bip32": false,
"extractable": false,
"modifiable": false,
"destroyable": false,
"sensitive": true,
"copyable": false
}
} '
  1. Copy the plugin binary skopeo-securosys and the ocicrypt.conf to ${HOME}/Securosys/skopeo and adapt the parameters pathToExecutable, -cipher-algorithm, tsb-api-endpoint, -auth, -token , -keyOperationToken, -publicKey, -privateKey according to your environment in ocicrypt.conf:
NOTE

When utilizing CloudHSM service, refer to Cloud Connectivity Details for accurate API-Endpoint URI. For on-premise deployments, verify API-Endpoint URI with your administrator. Contact your service administrator for authentication credentials in any setup (on-prem or cloud).

{ 
"key-providers": {
"securosys_encryption": {
"cmd": {
"path":"/<pathToExecutable>/Skopeo-securosys",
"args": [
"-cipher-algorithm <yourCipherAlgorithm>",
"-tsb-api-endpoint <TSB_APIendpoint>",
"-auth <TOKEN>",
"-token <yourToken>",
"-certpath <PathToCrt>",
"-keypath <PathToKey>",
"-keyOperationToken <TSB-TOKEN>",
"-publicKey <PUBLIC_KEY>",
"-privateKey <PRIVATE_KEY>"
]
}
}
}
}
  1. Prepare a sample image for encryption or use an already-built image from any public/private registry by pulling it into your local repository. Ensure the image is OCI-compliant (Skopeo). As an example, we utilize the Alpine project's image from docker.io and copy it to the working directory:
skopeo copy docker://docker.io/amd64/alpine:latest oci:alpine
  1. Encrypt the image as shown below:
[KEY_PASSWORD=password] OCICRYPT_KEYPROVIDER_CONFIG=<pathToConfig>/ocicrypt.conf skopeo --override-os linux copy --encryption-key provider:skopeo-securosys:<keyLabel> oci:alpine oci:apline-encrypted 
  1. Decrypt the image as shown below:
[KEY_PASSWORD=<password>] OCICRYPT_KEYPROVIDER_CONFIG=/<pathToConfig>/ocicrypt.conf skopeo --override-os linux copy --decryption-key provider:skopeo-securosys:<keyLabel> oci:alpine-encrypted oci:alpine-decrypted