3

I was wondering if there are any generic procedures to secure content of docker containers to extracting sensible source code.

At the moment, I secure my Python application naively by encrypting and decrypting sources based on a licenses.

Is there any solution that is independent from the content of the docker container? Like adding a license registry to docker?

I was thinking about a procedure that checks a license server in the beginning of the startup.

Antonio Petricca
  • 8,891
  • 5
  • 36
  • 74
Tom Hammerbacher
  • 68
  • 1
  • 8
  • 1
    See [Is distributing python source code in Docker secure?](https://stackoverflow.com/questions/51552706/is-distributing-python-source-code-in-docker-secure) or [How do I protect Python code from being read by users?](https://stackoverflow.com/questions/261638/how-do-i-protect-python-code-from-being-read-by-users): anyone who has a Docker image can trivially extract its content, and with an interpreted language like Python distributing an image is no more or less secure than distributing its source or the other approaches you discuss. – David Maze Mar 30 '22 at 12:11
  • You are right, that why i was investigating solutions from companies like Wibu Systems (https://www.wibu.com/products/protection-suite/axprotector-python.html) to decrypt interpreted languages at runtime. But securing the whole docker image seems to be a more generic solution :). – Tom Hammerbacher Mar 31 '22 at 10:10

2 Answers2

4

The short answer here is that there is not a generic method for securing the contents of your containers without encrypting the contents.

Since the nature of Docker is open, the main security with Docker images is controlling who can access the image (e.g. private image hosting), which depends on the security of your method of distribution.

However, you can encrypt the layers of your images using other tools, such as ocicrypt. There are efforts to modify the containerd used by Docker and for images whose layers are encrypted by ocicrypt.

Overview article:

https://developer.ibm.com/articles/encrypted-container-images-for-container-image-security-at-rest/

Code:

https://github.com/containerd/imgcrypt

https://github.com/containers/ocicrypt

pcamach2
  • 443
  • 2
  • 13
  • 1
    Thanks for your answer! I have to earn more reputation until i can upvote your answer. But it helped me to dive into the topic :). – Tom Hammerbacher Mar 31 '22 at 10:05
0

you can use Cosign https://github.com/sigstore/cosign, it's used for Container Signing, Verification and Storage in an OCI registry.

pigletfly
  • 1,051
  • 1
  • 16
  • 32