Today we’re incredibly excited to announce the support of hardware based signing in notary and Docker experimental.
To use hardware signing, you need to install docker experimental. For all of you mac users out there, we created a special Docker Tool Box just for this event that comes with everything you need installed.
The Yubikey 4 is Yubico’s new flagship product, featuring a completely new hardware and software stack, allowing Docker to integrate seamlessly provide the best security for Docker image signing.
The quickest way to get started with hardware signing is by downloading the docker experimental binary that comes with the DockerCon 2015 Demo Toolbox:
After it’s installed, you can plug-in your Yubikey to a USB port and generate yourself a Docker Content Trust root key.
Make sure that the key actually made it to both the Yubikey and your local private key directory by using
notary key list.
See those two keys in the listing? It means that you now both have a root key stored in your private folder (encrypted at rest) and inside of the yubikey.
WARNING: Make sure to backup your root key to a secure offline location. The loss of a root key is irrecoverable. You can backup your keys with
notary key backup.
Now that we have our root key generated inside of the yubikey, we can generate keys for our first repository and push our first signed image!
And that is it. Everyone in the world that has Docker Content Trust enabled can now securely download your content.
Learn More about Docker
- New to Docker? Try our 10 min online tutorial
- Share images, automate builds, and more with a free Docker Hub account
- Read the Docker 1.9 Release Notes
- Subscribe to Docker Weekly
- Register for upcoming Docker Online Meetups
- Attend upcoming Docker Meetups
- Register for DockerCon 2015 Europe
- Start contributing to Docker