Andrea Danti - Fotolia

What does Docker Content Trust mean for container security?

Docker Content Trust offers improved container security through code signing. Expert Dan Sullivan explains why this matters for enterprise cloud users.

What is Docker Content Trust and how can it help enterprises maintain container security? What are the potential implications for companies using Docker in the cloud?

Docker Content Trust is a code signing framework that enables developers to cryptographically sign application code before pushing the code to a Docker registry. The code is signed with the developer's private key, and users of the code can verify its authenticity with the developer's public key.

Docker Content Trust uses two keys: offline keys and tagging keys. A tagging key is associated with repositories owned by publishers. The offline key is the root of trust for a repository.

One advantage of using Docker Content Trust is it mitigates the risk of man-in-the-middle attacks (MitM). For example, if a Docker registry is compromised and it uploads malicious content, users will detect the content when it is verified against the developer's public key. Unless an MitM attacker also had access to the developer's private key, the attacker could not create an image that would pass the public key check. In addition to avoiding MitM attacks, Docker Content Trust uses timestamps to counter the threat of a malicious actor executing a replay attack with an older version of code.

Docker Content Trust uses the Notary system, which is an open source application for publishing and securing content. Notary implements The Update Framework, which is a design that addresses known attacks on the software update process.

Companies using Docker in the cloud should consider using Docker Content Trust to address the risk of deploying malicious content. Cloud infrastructure is highly dynamic and automated. Docker Content Trust introduces mechanisms to mitigate the risk of known attacks on software update processes and adds another type of check and validation on automated infrastructure management.

Next Steps

Find out more about how Docker container storage works.

Learn about how Docker container technology fits into the enterprise cloud.

Find out whether container technology is a good fit for your organization.

Dig Deeper on Cloud Computing Frameworks and Standards