Diogo Mónica

Docker Content Trust Gets Hardware Signing

Three months ago we launched Docker Content Trust, integrating the guarantees from The Update Framework (TUF) into Docker using Notary, an open source tool that provides trust over any content.

Today we’re incredibly excited to announce the support of hardware based signing in notary and Docker experimental.

image01
 

image04We launched hardware signing in Notary today at DockerCon EU 2015, where we gave developers the power to be secure content publishers by providing a free Yubikey 4 to every single attendee.

To use hardware signing, you need to install docker experimental. For all of you mac users out there, we created a special Docker Tool Box just for this event that comes with everything you need installed.

The Yubikey 4 is Yubico’s new flagship product, featuring a completely new hardware and software stack, allowing Docker to integrate seamlessly provide the best security for Docker image signing.

If you want to increase the security of your Docker images, enable Docker Content Trust, get yourself a Yubikey 4 and sign away.

The quickest way to get started with hardware signing is by downloading the docker experimental binary that comes with the DockerCon 2015 Demo Toolbox: docker-x

After it’s installed, you can plug-in your Yubikey to a USB port and generate yourself a Docker Content Trust root key.

image00

Make sure that the key actually made it to both the Yubikey and your local private key directory by using notary key list.

image02

See those two keys in the listing? It means that you now both have a root key stored in your private folder (encrypted at rest) and inside of the yubikey.

WARNING: Make sure to backup your root key to a secure offline location. The loss of a root key is irrecoverable. You can backup your keys with notary key backup.

Now that we have our root key generated inside of the yubikey, we can generate keys for our first repository and push our first signed image!

image03

And that is it. Everyone in the world that has Docker Content Trust enabled can now securely download your content.

More details on how to use Docker Content Trust to sign your images can be found here. if you want more information on notary, check out the notary docs here.


 

Learn More about Docker

 

, , , , ,

Diogo Mónica

Docker Content Trust Gets Hardware Signing


4 Responses to “Docker Content Trust Gets Hardware Signing”

  1. Sebastian Bulzak

    Good to see Docker is getting serious about security. Hardware tokens are a good solution for large organizations. I've had tokens fails on me, and the turnaround time to replace them is a critical flaw.

    Do you plan to support software tokens?

    Reply
  2. Sebastian Bulzak

    Forget about it. I didn't realize you could sign content with a Yubikey. I always used it for MFA.

    MFA could be interesting at the docker registry level.

    Reply
  3. Manideep

    Does Yubikey has any alternatives for signing instead of touching the device? I am asking this because big enterprises prefer automation rather than manually touching the device each time to sign.

    Can you please let me know on this. Thank you.

    Reply
    • adam

      The root key on the Yubikey is used to sign the target/snapshot key (which is used to sign the image metadata). It's not clear from this blog post if the target/snapshot keys are *also* stored on the yubikey, or the yubikey is only used to sign them, and they are then stored on the host. If they are stored on the host, then they can still be used in automation. I'm starting to play with all this now, so should know more soon. I'm also curious about keeping the target/snapshot key in a hardware-backed HSM for the automation process.

      Reply

Leave a Reply to adam

Click here to cancel reply.

Get the Latest Docker News by Email

Docker Weekly is a newsletter with the latest content on Docker and the agenda for the upcoming weeks.