Docker containers have revolutionized the way applications are developed and deployed. With the growing adoption of containers, the prominence of security concerns becomes more evident. This prompts the question: How can you fortify the trustworthiness of container images throughout their lifecycle?
Today, organizations operating in regulated environments, strive to comply with industry standards and regulations as recommended by NIST, OCI, CIS and WebTrust. Ensuring that the images are authentic and current is crucial for preserving the integrity of the software supply chain and deployment pipeline. Employing best practices, such as image signing and encryption, helps mitigate man-in-the-middle (MITM) attacks, unauthorized modifications, supply chain attacks and more.
Docker image signing is a cryptographic mechanism that verifies the source (authenticity) and integrity of Docker images before they are deployed and run on container platforms by applying digital signatures to them.
After a Docker image is signed, signifying that it has been approved (signed) by the software issuer, it is pushed to a registry where it can later be pulled by a deployment team which verifies the authenticated image. If you try to verify or run a docker image without any or with the wrong signature, it won’t work. These digital signatures are based on public-key cryptography, which means they can only be created with a private key and verified with a corresponding public key. This presents a weakness for Docker signing because if these keys are improperly managed, an attacker could distribute malicious software with a legitimate certificate. Thus, the implementation of a hardware security module (HSM) becomes paramount to the security of the signing keys.
To keep your signing keys safe, Securosys has developed a plug-in to protect them in an HSM. The Securosys Docker Image Signing plug-in is implemented within Notation (a.k.a. Notary v2 / Docker Content Trust Notary v2), the most recent and improved implementation of Notary, respectively Docker Content Trust, a Notary project tasked with signing OCI compliant images.
The Securosys Docker Image Signing Plugin is a binary plugin required to connect the Notation CLI to use the benefits of the TSB and Primus HSMs to generate, store and apply the keys in a secure hardware environment. Optionally, with SKA (smart key attributes) keys and the workflow engine part of the TSB, you can implement and orchestrate signature approvals by multiple parties, like the CISO, the development management, the product management, etc. via approval apps.
Learn more about SKA and TSB multi-authorization.
TSB in the Docker Image signing setting allows establishing highly adaptable policies for authorizing operations and transactions, as well as for blocking or unblocking keys and modifying policies, meaning that you can setup the signing process and the image signing only happens after thorough tests and confirmation by for example security and compliance officers. This way, the signing approval can be elevated to n of m quorums, time-locks that trigger alarms and restrict key operations, time-outs to prevent the misuse of suspended signing requests, and various combinations of such functionalities. Approvals can be executed through mobile, desktop, or physical cryptographic devices, with the additional security provided by the policy enforced by the HSM.
The initial step of signing an image with Notation involves hashing the original image (a Docker image intended for secure distribution to customers) using a hashing algorithm. Subsequently, the hashed Docker image must be signed with the developer's private key. The Securosys Docker Image Signing plug-in allows the creation and usage of stored private keys within the Securosys HSM, without ever exposing the key.
Thus, the hashed Docker image can be signed by the Securosys signing plug-in and Notation, using the private key. The resulting signed image is ready to be uploaded to a repository, where its signature can be later verified by a deployment team.
Figure 1 Build Pipeline with signed Docker images
Storing container images comes with its own set of hurdles, including the ever-looming threats of vulnerability exploitation, unauthorized access, image tampering, man-in-the-middle attacks, and potential data leakage.
Image encryption is the practice of encrypting Docker container images and their associated data at rest. It ensures that the contents are safeguarded from unauthorized access, tampering, or theft. This process is instrumental in securing the entire containerized application lifecycle, from image creation and storage to image distribution and runtime execution.
Encrypting a container image involves converting its contents into an unreadable format using cryptographic algorithms. This process typically employs encryption keys to secure the image's data.
These keys play a crucial role in safeguarding sensitive information; hence, the security of encryption keys is paramount, and where they are stored or managed can make a significant difference. When stored or managed within the container image pipeline, keys are vulnerable to various attacks or unauthorized access. Using an HSM to secure the keys, provides an additional layer of protection.
The Securosys Docker Image Encryption Plugin assures secure storage of images at-rest, by providing the ability to encrypt your images with keys generated and stored within a Securosys on-premises Primus HSM or CloudsHSM. The Plugin establishes a secure connection between Skopeo utility, a tool designed for managing image storage, and Securosys HSM via REST API using the Transaction Security Broker (TSB).
By integrating Docker image encryption with the hardware from Securosys, you can ensure that your keys are never exposed outside of the HSM. This is preeminent in the lifecycle of the image, as any keys exposed to the outside could be tampered with.
The DevOps team is responsible for developing and testing any container image, which is subsequently built and pushed to a repository. Before pushing the image to the repository, the developer employs the Skopeo utility to easily encrypt the image. For encryption, the OciCrypt library is utilized along with our Securosys Docker Image Encryption plug-in. This plug-in enables the developer to request the use of a private encryption key, which is hold on Securosys HSM. Importantly, this architecture ensures that the private encryption key is never exposed, providing the developer with confidence that the stored image remains secure and unaltered.
To decrypt an image, the deployment team needs to specify a decryption command using the same private key utilized during the encryption process. This process is facilitated through the Skopeo utility. The decryption request is translated and directed by the OciCrypt library to the Securosys Docker Encryption plug-in and handled by the HSM. Once the decryption is successfully completed, the user can deploy the Docker image.
Figure 2 Encryption of Docker Images
In today's development world, securing containerized applications is paramount. Docker image signing and encryption serve as the linchpin for ensuring the integrity and confidentiality of container images. Tampering with images and other threats can result in security breaches or significant losses, emphasizing the need for a robust security. By integrating Docker image signing and encryption with our Securosys Transaction Security Broker (TSB) and Hardware Security Modules (HSMs), instill trust and establish a foundation of confidence that your signed and encrypted containers are protected from unauthorized tampering and other threats.
At Securosys, we've carefully crafted our solutions for effortless integration into your current Docker signing and encryption workflows. By implementing a straightforward configuration, you can unlock the full spectrum of advantages of TSB, CloudsHSMs, or Primus HSM products, ultimately enhancing your Docker security. Maintain control of your keys and seamlessly migrate critical encryption workloads to the cloud with Securosys.
