Andrea Danti - Fotolia
What is Docker Content Trust and how can it help enterprises maintain container security? What are the potential implications for companies using Docker in the cloud?
Docker Content Trust is a code signing framework that enables developers to cryptographically sign application code before pushing the code to a Docker registry. The code is signed with the developer's private key, and users of the code can verify its authenticity with the developer's public key.
Docker Content Trust uses two keys: offline keys and tagging keys. A tagging key is associated with repositories owned by publishers. The offline key is the root of trust for a repository.
One advantage of using Docker Content Trust is it mitigates the risk of man-in-the-middle attacks (MitM). For example, if a Docker registry is compromised and it uploads malicious content, users will detect the content when it is verified against the developer's public key. Unless an MitM attacker also had access to the developer's private key, the attacker could not create an image that would pass the public key check. In addition to avoiding MitM attacks, Docker Content Trust uses timestamps to counter the threat of a malicious actor executing a replay attack with an older version of code.
Docker Content Trust uses the Notary system, which is an open source application for publishing and securing content. Notary implements The Update Framework, which is a design that addresses known attacks on the software update process.
Companies using Docker in the cloud should consider using Docker Content Trust to address the risk of deploying malicious content. Cloud infrastructure is highly dynamic and automated. Docker Content Trust introduces mechanisms to mitigate the risk of known attacks on software update processes and adds another type of check and validation on automated infrastructure management.
Find out more about how Docker container storage works.
Dig Deeper on Cloud Computing Frameworks and Standards
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading