kantver - Fotolia

How does Docker's hardware signing work?

Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan goes over these new features.

Docker security got a recent upgrade with new features and tools, including support for hardware signing. The organization also announced "Project Nautilus" for automated security analysis. How does Docker hardware signing work, and what's included in Project Nautilus?

Docker hardware signing is an extension of the Docker Content Trust feature for application signing, which was released with Docker 1.8.0. Hardware signing is implemented using Yubico USB keys, hardware devices that can digitally sign an application without exposing the private root encryption key. The Yubico USB key  is a strong second factor that complies with the FIDO Alliance Universal Second Factor. Application signing is a form of authentication that allows users of an image to know who created the image. With that knowledge in hand, users can then assess the trustworthiness of the image.

Project Nautilus is an open source project developing an image scanner for Docker images. The scanner performs security analysis on Docker images. An important feature of Nautilus is that it is not limited to scanning for known vulnerabilities. It performs deep content analysis that can analyze the semantics of instructions and not just scan for known malicious patterns or indicators.

Nautilus is used to scan official images in the Docker Hub repository. The Docker team expects to make it publically available in the near future.

Want to ask Dan Sullivan a question about cloud security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Read up on some Docker container technology tips

Find out how Docker Content Trust improves container security

Learn how CoreOS' Rocket compares to Docker security-wise

Dig Deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus