Docker Content Trust steps up container security
Its latest push in this area, Docker Content Trust, provides a way for users of containerized apps to ensure that the container's publisher and content are who they say they are. Content Trust also makes this verification a standard mechanism, at least when Docker's content-delivery infrastructure (such as Docker Hub) is concerned.
Docker Content Trust works by making sure containers are signed by their creators before they're publicly available, with the signatures verifiable by users. Two keys are used in the process: a per-repository key, for signing Docker images (available online), and a root key to create new per-repository keys (kept offline).
With this two-key mechanism, it's more difficult to forge signatures since an attacker would need access to both keys to pull off the feat. If a per-repository key were to be stolen, the publisher would be able to generate a new one with the root key.
This key-signing system is built using an existing Docker project, Notary. Close integration with the Docker Engine means common actions for containers can be constrained only to use signed content. (Docker 1.8, the latest release, includes these features, though they're disabled by default.)
Docker security lead Diego Monica explained in a phone call that Docker's main rationale for doing this is to "raise the bar for trusted delivery of content" and to "have a base layer of security for trusted content that is open source and audited by the community, and enables everyone else to build on top of the Docker platform."
These first steps with Content Trust involve leading by example; it's positioned as the standard for delivering trusted content through Docker's official repositories -- but as an opt-in mechanism at first. if you're deploying via a private repository, you can also use Docker Content Trust to sign content, though without dependencies on external sources of trust.
In the past, the company heralded its "batteries included, but optional" approach to its product design. While recommended practices are available in Docker by default, it's not the only path.
But with security -- especially a security process, rather than a pluggable behavior -- Docker may not have a choice but to be opinionated. That said, the company claims to have received deeply positive feedback from its community over Content Trust.