Getting Started with Docker Encryption
This quick start guide provides a comprehensive task listing to download, setup and use the Securosys Docker Image Encryption plugin. For more detailled detailled instructions consult the Installation and Tutorial section.
- Download and install Skopeo
- Linux
- MacOS
sudo apt-get -y update
sudo apt-get -y install skopeo
brew install skopeo
-
Download Securosys Docker Image Encryption Plugin files
Follow the instructions provided in section Download.
-
Unzip Securosys Docker Image Encryption Plugin binary
unzip securosys_docker-encryption-skopeo-plugin-executable-latest.zip
- Unzip Securosys Docker Image Encryption Plugin configuration file
unzip securosys_docker-encryption-skopeo-plugin-configuration-latest.zip
- Read the Securosys Docker Image Encryption Plugin Release Notes
less securosys_docker-encryption-skopeo-plugin-releasenotes-latest.md
- Create an encryption key on the HSM (unless a key has been generated before)
- Linux / MacOS
- Windows
curl -X 'POST' \
'<TSB_APIendpoint>/v1/key' \
-H 'accept: application/json' \
-H 'Authorization: Bearer ergq0ejgadjlfkgjaldfjgaodf9gjad0f9hgadfhgadhfogiah…'\
-H 'Content-Type: application/json' \
-d '{
"label": "SecurosysEncKey01",
"algorithm": "RSA",
"keySize": 2048,
"attributes": {
"encrypt": true,
"decrypt": true,
"verify": false,
"sign": false,
"wrap": false,
"unwrap": false,
"derive": false,
"bip32": false,
"extractable": false,
"modifiable": false,
"destroyable": false,
"sensitive": true,
"copyable": false
}
} '
curl command for Windows
- Copy the plugin binary
skopeo-securosys
and theocicrypt.conf
to${HOME}/Securosys/skopeo
and adapt the parameterspathToExecutable
,-cipher-algorithm
,tsb-api-endpoint
,-auth
,-token
,-keyOperationToken
,-publicKey
,-privateKey
according to your environment inocicrypt.conf
:
NOTE
When utilizing CloudHSM service, refer to Cloud Connectivity Details for accurate API-Endpoint URI. For on-premise deployments, verify API-Endpoint URI with your administrator. Contact your service administrator for authentication credentials in any setup (on-prem or cloud).
{
"key-providers": {
"securosys_encryption": {
"cmd": {
"path":"/<pathToExecutable>/Skopeo-securosys",
"args": [
"-cipher-algorithm <yourCipherAlgorithm>",
"-tsb-api-endpoint <TSB_APIendpoint>",
"-auth <TOKEN>",
"-token <yourToken>",
"-certpath <PathToCrt>",
"-keypath <PathToKey>",
"-keyOperationToken <TSB-TOKEN>",
"-publicKey <PUBLIC_KEY>",
"-privateKey <PRIVATE_KEY>"
]
}
}
}
}
- Prepare a sample image for encryption or use an already-built image from any public/private registry by pulling it into your local repository. Ensure the image is OCI-compliant (Skopeo). As an example, we utilize the Alpine project's image from docker.io and copy it to the working directory:
skopeo copy docker://docker.io/amd64/alpine:latest oci:alpine
- Encrypt the image as shown below:
[KEY_PASSWORD=password] OCICRYPT_KEYPROVIDER_CONFIG=<pathToConfig>/ocicrypt.conf skopeo --override-os linux copy --encryption-key provider:skopeo-securosys:<keyLabel> oci:alpine oci:apline-encrypted
- Decrypt the image as shown below:
[KEY_PASSWORD=<password>] OCICRYPT_KEYPROVIDER_CONFIG=/<pathToConfig>/ocicrypt.conf skopeo --override-os linux copy --decryption-key provider:skopeo-securosys:<keyLabel> oci:alpine-encrypted oci:alpine-decrypted