GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → containerd → imgcrypt

containerd / imgcrypt

Licence: Apache-2.0 license
OCI Image Encryption Package

Programming Languages

go
31211 projects - #10 most used programming language
shell
77523 projects
Makefile
30231 projects

Labels

encryptioncontainersgpgocioci-image

Projects that are alternatives of or similar to imgcrypt

Buildkit
concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit
Stars: ✭ 4,537 (+2020.09%)
Mutual labels:  oci, oci-image
ctnr
rootless runc-based container engine - deprecated in favour of podman
Stars: ✭ 30 (-85.98%)
Mutual labels:  oci, oci-image
oci-build-task
a Concourse task for building OCI images
Stars: ✭ 57 (-73.36%)
Mutual labels:  oci, oci-image
Clair
Vulnerability Static Analysis for Containers
Stars: ✭ 8,356 (+3804.67%)
Mutual labels:  oci, oci-image
ocibuilder
A tool to build OCI compliant images
Stars: ✭ 63 (-70.56%)
Mutual labels:  oci, oci-image
vilicus
Vilicus is an open source tool that orchestrates security scans of container images(docker/oci) and centralizes all results into a database for further analysis and metrics.
Stars: ✭ 82 (-61.68%)
Mutual labels:  oci, oci-image
filegrain
transport-agnostic, fine-grained content-addressable container image layout
Stars: ✭ 23 (-89.25%)
Mutual labels:  oci, oci-image
fullmetalupdate
FullMetalUpdate Python client application.
Stars: ✭ 19 (-91.12%)
Mutual labels:  oci, oci-image
dotfiles
🏡 Personal dotfiles configuration
Stars: ✭ 73 (-65.89%)
Mutual labels:  gpg
Cloud-Service-Providers-Free-Tier-Overview
Comparing the free tier offers of the major cloud providers like AWS, Azure, GCP, Oracle etc.
Stars: ✭ 226 (+5.61%)
Mutual labels:  oci
oci-cloudera
Terraform module to deploy Cloudera on Oracle Cloud Infrastructure (OCI)
Stars: ✭ 20 (-90.65%)
Mutual labels:  oci
airgap
Offline LiveUSB to generate and manage secret keys for things such as gpg, certificates, and cryptocurrency
Stars: ✭ 92 (-57.01%)
Mutual labels:  gpg
istio
istio offical suppport for arm64 will land since v1.15
Stars: ✭ 168 (-21.5%)
Mutual labels:  oci
rune
tool to query for tokens and passwords for use as environment variables
Stars: ✭ 13 (-93.93%)
Mutual labels:  gpg
cdxgen
Creates CycloneDX Software Bill-of-Materials (SBOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI//CD pipeline with automatic submission to Dependency Track server.
Stars: ✭ 75 (-64.95%)
Mutual labels:  oci
essex
Essex - Boilerplate for Docker Based Projects
Stars: ✭ 32 (-85.05%)
Mutual labels:  oci
nix2container
An archive-less dockerTools.buildImage implementation
Stars: ✭ 133 (-37.85%)
Mutual labels:  oci
prs
🔐 A secure, fast & convenient password manager CLI using GPG and git to sync.
Stars: ✭ 120 (-43.93%)
Mutual labels:  gpg
bash-backup
Simple backup script for GNU/Linux servers
Stars: ✭ 76 (-64.49%)
Mutual labels:  gpg
terraform-oci-vcn
A reusable and extensible Terraform module that provisions a VCN on Oracle Cloud Infrastructure
Stars: ✭ 22 (-89.72%)
Mutual labels:  oci
View All Similar Projects ➔

imgcrypt image encryption library and command line tool

Project imgcrypt is a non-core subproject of containerd.

The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. An extended version of containerd's ctr tool (`ctr-enc') with support for encrypting and decrypting container images is also provided.

imgcrypt relies on the ocicrypt library for crypto functions on image layers.

Usage

imgcrypt requires containerd 1.3 or later. Containerd 1.4 or later is required when used with Kubernetes. For configuration instructions for kubernetes, please consult the CRI decryption document.

Build and install imgcrypt:

# make
# sudo make install

Start containerd with a configuration file that looks as follows. To avoid interference with a containerd from a Docker installation we use /tmp for directories. Also, we build containerd 1.3 from the source but do not install it.

# cat config.toml
disable_plugins = ["cri"]
root = "/tmp/var/lib/containerd"
state = "/tmp/run/containerd"
[grpc]
  address = "/tmp/run/containerd/containerd.sock"
  uid = 0
  gid = 0
[stream_processors]
    [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
        accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
        returns = "application/vnd.oci.image.layer.v1.tar+gzip"
        path = "/usr/local/bin/ctd-decoder"
    [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
        accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
        returns = "application/vnd.oci.image.layer.v1.tar"
        path = "/usr/local/bin/ctd-decoder"

# sudo ~/src/github.com/containerd/containerd/bin/containerd -c config.toml

Create an RSA key pair using the openssl command line tool and encrypted an image:

# openssl genrsa -out mykey.pem
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................................+++++
............................+++++
e is 65537 (0x010001)
# openssl rsa -in mykey.pem -pubout -out mypubkey.pem
writing RSA key
# sudo chmod 0666 /tmp/run/containerd/containerd.sock
# CTR="/usr/local/bin/ctr-enc -a /tmp/run/containerd/containerd.sock"
# $CTR images pull --all-platforms docker.io/library/bash:latest
[...]
# $CTR images layerinfo --platform linux/amd64 docker.io/library/bash:latest
   #                                                                    DIGEST      PLATFORM      SIZE   ENCRYPTION   RECIPIENTS
   0   sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609   linux/amd64   2789669                          
   1   sha256:7dd01fd971d4ec7058c5636a505327b24e5fc8bd7f62816a9d518472bd9b15c0   linux/amd64   3174665                          
   2   sha256:691cfbca522787898c8b37f063dd20e5524e7d103e1a3b298bd2e2b8da54faf5   linux/amd64       340                          
# $CTR images encrypt --recipient jwe:mypubkey.pem --platform linux/amd64 docker.io/library/bash:latest bash.enc:latest
Encrypting docker.io/library/bash:latest to bash.enc:latest
$ $CTR images layerinfo --platform linux/amd64 bash.enc:latest
   #                                                                    DIGEST      PLATFORM      SIZE   ENCRYPTION   RECIPIENTS
   0   sha256:360be141b01f69b25427a9085b36ba8ad7d7a335449013fa6b32c1ecb894ab5b   linux/amd64   2789669          jwe        [jwe]
   1   sha256:ac601e66cdd275ee0e10afead03a2722e153a60982122d2d369880ea54fe82f8   linux/amd64   3174665          jwe        [jwe]
   2   sha256:41e47064fd00424e328915ad2f7f716bd86ea2d0d8315edaf33ecaa6a2464530   linux/amd64       340          jwe        [jwe]

Start a local image registry so we can push the encrypted image to it. A recent versions of the registry is required to accept encrypted container images.

# docker pull registry:latest
# docker run -d -p 5000:5000 --restart=always --name registry registry

Push the encrypted image to the local registry, pull it using ctr-enc, and then run the image.

# $CTR images tag bash.enc:latest localhost:5000/bash.enc:latest
# $CTR images push localhost:5000/bash.enc:latest
# $CTR images rm localhost:5000/bash.enc:latest bash.enc:latest
# $CTR images pull localhost:5000/bash.enc:latest
# sudo $CTR run --rm localhost:5000/bash.enc:latest test echo 'Hello World!'
ctr: you are not authorized to use this image: missing private key needed for decryption
# sudo $CTR run --rm --key mykey.pem localhost:5000/bash.enc:latest test echo 'Hello World!'
Hello World!

Project details

imgcrypt is a non-core containerd sub-project, licensed under the Apache 2.0 license. As a containerd sub-project, you will find the:

information in our containerd/project repository.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].