Getting Started with Docker Encryption

This quick start guide provides a comprehensive task listing to download, setup and use the Securosys Docker Image Encryption plugin. For more detailled detailled instructions consult the Installation and Tutorial section.

1. Download and install Skopeo

Linux

sudo apt-get -y update
sudo apt-get -y install skopeo

MacOS

brew install skopeo

2. Download Securosys Docker Image Encryption Plugin files

   Follow the instructions provided in section Download.

3. Unzip Securosys Docker Image Encryption Plugin binary

unzip securosys_docker-encryption-skopeo-plugin-executable-latest.zip

4. Unzip Securosys Docker Image Encryption Plugin configuration file

unzip securosys_docker-encryption-skopeo-plugin-configuration-latest.zip

5. Read the Securosys Docker Image Encryption Plugin Release Notes

less securosys_docker-encryption-skopeo-plugin-releasenotes-latest.md

6. Create an encryption key on the HSM (unless a key has been generated before)

Linux / MacOS

curl -X 'POST' \ 
    '<TSB_APIendpoint>/v1/key' \
    -H 'accept: application/json' \ 
    -H 'Authorization: Bearer ergq0ejgadjlfkgjaldfjgaodf9gjad0f9hgadfhgadhfogiah…'\
    -H 'Content-Type: application/json' \ 
    -d '{ 
    "label": "SecurosysEncKey01", 
    "algorithm": "RSA", 
    "keySize": 2048, 
    "attributes": {
     "encrypt": true,
     "decrypt": true,
     "verify": false, 
     "sign": false, 
     "wrap": false, 
     "unwrap": false, 
     "derive": false, 
     "bip32": false, 
     "extractable": false,
     "modifiable": false,
     "destroyable": false,
     "sensitive": true,
     "copyable": false 
    } 
} '

Windows

curl command for Windows

7. Copy the plugin binary skopeo-securosys and the ocicrypt.conf to ${HOME}/Securosys/skopeo and adapt the parameters pathToExecutable, -cipher-algorithm, tsb-api-endpoint, -auth, -token , -keyOperationToken, -publicKey, -privateKey according to your environment in ocicrypt.conf:

NOTE

When utilizing CloudHSM service, refer to Cloud Connectivity Details for accurate API-Endpoint URI. For on-premise deployments, verify API-Endpoint URI with your administrator. Contact your service administrator for authentication credentials in any setup (on-prem or cloud).

{ 
    "key-providers": { 
        "securosys_encryption": { 
            "cmd": { 
            "path":"/<pathToExecutable>/Skopeo-securosys",
            "args":  [ 
                "-cipher-algorithm <yourCipherAlgorithm>",
                "-tsb-api-endpoint <TSB_APIendpoint>",
                "-auth <TOKEN>",
                "-token <yourToken>",
                "-certpath <PathToCrt>",
                "-keypath <PathToKey>",
                "-keyOperationToken <TSB-TOKEN>",
                "-publicKey <PUBLIC_KEY>",
                "-privateKey <PRIVATE_KEY>"
                ] 
            } 
        } 
    } 
} 

8. Prepare a sample image for encryption or use an already-built image from any public/private registry by pulling it into your local repository. Ensure the image is OCI-compliant (Skopeo). As an example, we utilize the Alpine project's image from docker.io and copy it to the working directory:

skopeo copy docker://docker.io/amd64/alpine:latest oci:alpine

9. Encrypt the image as shown below:

[KEY_PASSWORD=password] OCICRYPT_KEYPROVIDER_CONFIG=<pathToConfig>/ocicrypt.conf skopeo --override-os linux copy --encryption-key provider:skopeo-securosys:<keyLabel> oci:alpine oci:apline-encrypted 

10. Decrypt the image as shown below:

[KEY_PASSWORD=<password>] OCICRYPT_KEYPROVIDER_CONFIG=/<pathToConfig>/ocicrypt.conf skopeo --override-os linux copy --decryption-key provider:skopeo-securosys:<keyLabel> oci:alpine-encrypted oci:alpine-decrypted