Skip to main content

Decrypt an Image

After successfully encrypting an image, proceed with the decryption.

CAUTION

This guide assumes the operating system used is Linux Ubuntu 22.

Decrypt Docker image using local registry

Decrypt the formerly created encrypted docker image and tag it to alpine:latest-decrypted using below command. Adapt the values <password, <pathToConfig>, <keyLabel> to your needs.

[KEY_PASSWORD=password] OCICRYPT_KEYPROVIDER_CONFIG=/<pathToConfig>/ocicrypt.conf skopeo --override-os mac copy --decryption-key provider:skopeo-securosys:<keyLabel> --src-tls-verify=false -- dest-tls-verify=false docker://localhost:5000/alpine:latest-encrypted-<keyLabel> docker://localhost:5000/alpine:latest-decrypted

Example

Example command and its output:

OCICRYPT_KEYPROVIDER_CONFIG=/home/Securosys/Securosys/skopeo/ocicrypt.conf skopeo -- override-os mac copy --decryption-key provider:skopeo-securosys:SecurosysEncKey21 --src- tls-verify=false --dest-tls-verify=false docker://localhost:5000/alpine:latest- encrypted-SecurosysEncKey01 docker://localhost:5000/alpine:latest-decrypted
Getting image source signatures 
Copying blob d1a9fbe0d395 done   |  
Copying config 1021c26281 done   |  
Writing manifest to image destination

Simplified Docker Image Decryption Example (optional)

Decrypt the previously encrypted image as shown below, following the example of using skopeo directly without the registry:

[KEY_PASSWORD=<password>] OCICRYPT_KEYPROVIDER_CONFIG=/<pathToConfig>/ocicrypt.conf skopeo --override-os linux copy --decryption-key provider:skopeo-securosys:<keyLabel> oci:alpine-encrypted oci:alpine-decrypted

Command parameters:

Command parameters:Description
KEY_PASSWORD=<password>Replace the <password> variable with the -key- password parameter in the configuration file.
OCICRYPT_KEYPROVIDER_CONFIG=/<pathToConfig>/ocicrypt.confReplace the <pathToConfig> with your path to the Securosys Docker Image Encryption plugin config, ${CONFIG_PATH} as set in chapter Installation - Install the Securosys Docker Image Encryption Plugin config file

Example

Example command and its output for the decryption of an image “alpine-encrypted” and storing it as “alpine-decrypted”. For a key without password:

OCICRYPT\_KEYPROVIDER\_CONFIG=/home/Securosys/Securosys/skopeo/ocicrypt.conf skopeo -- override-os linux copy --decryption-key provider:skopeo-securosys:SecurosysEncKey01 oci:alpine-encrypted oci:alpine-decrypted 
Getting image source signatures
Copying blob 4029b2314db9 done
Copying config 5c41fd95ee done
Writing manifest to image destination

After successfully decryption the image is stored in directory decrypted and can be used normally.