Andrea Danti - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What does Docker Content Trust mean for container security?

Docker Content Trust offers improved container security through code signing. Expert Dan Sullivan explains why this matters for enterprise cloud users.

What is Docker Content Trust and how can it help enterprises maintain container security? What are the potential implications for companies using Docker in the cloud?

Docker Content Trust is a code signing framework that enables developers to cryptographically sign application code before pushing the code to a Docker registry. The code is signed with the developer's private key, and users of the code can verify its authenticity with the developer's public key.

Docker Content Trust uses two keys: offline keys and tagging keys. A tagging key is associated with repositories owned by publishers. The offline key is the root of trust for a repository.

One advantage of using Docker Content Trust is it mitigates the risk of man-in-the-middle attacks (MitM). For example, if a Docker registry is compromised and it uploads malicious content, users will detect the content when it is verified against the developer's public key. Unless an MitM attacker also had access to the developer's private key, the attacker could not create an image that would pass the public key check. In addition to avoiding MitM attacks, Docker Content Trust uses timestamps to counter the threat of a malicious actor executing a replay attack with an older version of code.

Docker Content Trust uses the Notary system, which is an open source application for publishing and securing content. Notary implements The Update Framework, which is a design that addresses known attacks on the software update process.

Companies using Docker in the cloud should consider using Docker Content Trust to address the risk of deploying malicious content. Cloud infrastructure is highly dynamic and automated. Docker Content Trust introduces mechanisms to mitigate the risk of known attacks on software update processes and adds another type of check and validation on automated infrastructure management.

Next Steps

Find out more about how Docker container storage works.

Learn about how Docker container technology fits into the enterprise cloud.

Find out whether container technology is a good fit for your organization.

Dig Deeper on Cloud Computing Frameworks and Standards

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How does Docker Content Trust address container security issues for your organization?
This is another solid step forward for Docker. Eliminating the potential for man in the middle attacks should prove to be enticing to many of the organizations that have been holding off on adopting the technology due to security concerns.