Docker, the startup that has made it popular to build and deploy applications in Linux containers, announced today a new feature called Content Trust in the latest version of its open-source software that can provide an extra layer of security to people using containers.
Docker Content Trust, which is now available in Docker version 1.8.0, allows people to check the legitimacy of container images before downloading them from the publicly available Docker Hub. The idea is to give companies the assurance that they won’t be deploying anything potentially dangerous atop their infrastructure.
And that’s important as Docker looks to make containers a viable alternative to more traditional virtual machine technology from staid vendors like Citrix, Microsoft, and VMware.
Linux containers, which rely on virtualization at the operating system level, offer certain advantages over virtual machines, but convincing big companies that containers based on open-source software can be just as secure as proprietary virtualization technology is a challenge that privately held Docker must face. So security has been a priority, alongside the push to sell on-premises software.
Here’s how Content Trust works, according to a statement on the news today from Docker:
Docker Content Trust has two distinct keys, an Offline (root) key and a Tagging (per-repository) key that are generated and stored client-side the first time a publisher pushes an image. Each repository has its own unique tagging key, which allows the holder to digitally sign Docker images for a particular repository. The tagging key is used any time new content is added or removed from the repository. Because the tagging key is online, it is vulnerable to being compromised. With Docker Content Trust, the publisher will be able to securely rotate compromised keys by using the offline key, which should be securely stored offline.
Docker Content Trust also generates a Timestamp key that provides protection against replay attacks, which would allow a malicious actor to serve signed but expired content. Docker manages the Timestamp key for you, reducing the hassle of having to constantly refresh the content client-side.
To learn more about Docker Content Trust, which builds on the Notary technology Docker announced at the 2015 DockerCon conference in San Francisco in June, check out the description of the feature on Docker’s website. See also Docker’s blog post on the news.