• Stars
    star
    332
  • Rank 126,957 (Top 3 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 5 years ago
  • Updated 7 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

OCI Image Encryption Package

imgcrypt image encryption library and command line tool

Project imgcrypt is a non-core subproject of containerd.

The imgcrypt library provides API extensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. An extended version of containerd's ctr tool (ctr-enc) with support for encrypting and decrypting container images is also provided.

imgcrypt relies on the ocicrypt library for crypto functions on image layers.

Usage

imgcrypt requires containerd 1.3 or later. Containerd 1.4 or later is required when used with Kubernetes. For configuration instructions for kubernetes, please consult the CRI decryption document.

Build and install imgcrypt:

# make
# sudo make install

Start containerd with a configuration file that looks as follows. To avoid interference with a containerd from a Docker installation we use /tmp for directories. Also, we build containerd 1.3 from the source but do not install it.

# cat config.toml
disable_plugins = ["cri"]
root = "/tmp/var/lib/containerd"
state = "/tmp/run/containerd"
[grpc]
  address = "/tmp/run/containerd/containerd.sock"
  uid = 0
  gid = 0
[stream_processors]
    [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
        accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
        returns = "application/vnd.oci.image.layer.v1.tar+gzip"
        path = "/usr/local/bin/ctd-decoder"
    [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.zstd"]
        accepts = ["application/vnd.oci.image.layer.v1.tar+zstd+encrypted"]
        returns = "application/vnd.oci.image.layer.v1.tar+zstd"
        path = "/usr/local/bin/ctd-decoder"
    [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
        accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
        returns = "application/vnd.oci.image.layer.v1.tar"
        path = "/usr/local/bin/ctd-decoder"

# sudo ~/src/github.com/containerd/containerd/bin/containerd -c config.toml

Create an RSA key pair using the openssl command line tool and encrypted an image:

# openssl genrsa -out mykey.pem
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................................+++++
............................+++++
e is 65537 (0x010001)
# openssl rsa -in mykey.pem -pubout -out mypubkey.pem
writing RSA key
# sudo chmod 0666 /tmp/run/containerd/containerd.sock
# CTR="/usr/local/bin/ctr-enc -a /tmp/run/containerd/containerd.sock"
# $CTR images pull --all-platforms docker.io/library/bash:latest
[...]
# $CTR images layerinfo --platform linux/amd64 docker.io/library/bash:latest
   #                                                                    DIGEST      PLATFORM      SIZE   ENCRYPTION   RECIPIENTS
   0   sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609   linux/amd64   2789669                          
   1   sha256:7dd01fd971d4ec7058c5636a505327b24e5fc8bd7f62816a9d518472bd9b15c0   linux/amd64   3174665                          
   2   sha256:691cfbca522787898c8b37f063dd20e5524e7d103e1a3b298bd2e2b8da54faf5   linux/amd64       340                          
# $CTR images encrypt --recipient jwe:mypubkey.pem --platform linux/amd64 docker.io/library/bash:latest bash.enc:latest
Encrypting docker.io/library/bash:latest to bash.enc:latest
$ $CTR images layerinfo --platform linux/amd64 bash.enc:latest
   #                                                                    DIGEST      PLATFORM      SIZE   ENCRYPTION   RECIPIENTS
   0   sha256:360be141b01f69b25427a9085b36ba8ad7d7a335449013fa6b32c1ecb894ab5b   linux/amd64   2789669          jwe        [jwe]
   1   sha256:ac601e66cdd275ee0e10afead03a2722e153a60982122d2d369880ea54fe82f8   linux/amd64   3174665          jwe        [jwe]
   2   sha256:41e47064fd00424e328915ad2f7f716bd86ea2d0d8315edaf33ecaa6a2464530   linux/amd64       340          jwe        [jwe]

Start a local image registry so we can push the encrypted image to it. A recent versions of the registry is required to accept encrypted container images.

# docker pull registry:latest
# docker run -d -p 5000:5000 --restart=always --name registry registry

Push the encrypted image to the local registry, pull it using ctr-enc, and then run the image.

# $CTR images tag bash.enc:latest localhost:5000/bash.enc:latest
# $CTR images push localhost:5000/bash.enc:latest
# $CTR images rm localhost:5000/bash.enc:latest bash.enc:latest
# $CTR images pull localhost:5000/bash.enc:latest
# sudo $CTR run --rm localhost:5000/bash.enc:latest test echo 'Hello World!'
ctr: you are not authorized to use this image: missing private key needed for decryption
# sudo $CTR run --rm --key mykey.pem localhost:5000/bash.enc:latest test echo 'Hello World!'
Hello World!

Project details

imgcrypt is a non-core containerd sub-project, licensed under the Apache 2.0 license. As a containerd sub-project, you will find the:

information in our containerd/project repository.

More Repositories

1

containerd

An open and reliable container runtime
Go
16,882
star
2

nerdctl

contaiNERD CTL - Docker-compatible CLI for containerd, with support for Compose, Rootless, eStargz, OCIcrypt, IPFS, ...
Go
7,909
star
3

cgroups

cgroups package for Go
Go
1,085
star
4

runwasi

Facilitates running Wasm / WASI workloads managed by containerd
Rust
1,047
star
5

cri

Moved to https://github.com/containerd/containerd/tree/master/pkg/cri . If you wish to submit issues/PRs, please submit to https://github.com/containerd/containerd
Go
905
star
6

stargz-snapshotter

Fast container image distribution plugin with lazy pulling
Go
884
star
7

ttrpc

GRPC for low-memory environments
Go
548
star
8

accelerated-container-image

A production-ready remote container image format (overlaybd) and snapshotter based on block-device.
Go
405
star
9

overlaybd

Overlaybd: a block based remote image format. The storage backend of containerd/accelerated-container-image.
C++
257
star
10

ttrpc-rust

Rust implementation of ttrpc (GRPC for low-memory environments)
Rust
196
star
11

console

console package for Go
Go
178
star
12

rust-extensions

Rust crates to extend containerd
Rust
170
star
13

nydus-snapshotter

A containerd snapshotter with data deduplication and lazy loading in P2P fashion
Go
165
star
14

go-runc

runc bindings for Go
Go
163
star
15

go-cni

A generic CNI library to provide APIs for CNI plugin interactions
Go
146
star
16

continuity

A transport-agnostic, filesystem metadata manifest system
Go
142
star
17

nri

Node Resource Interface
Go
128
star
18

protobuild

Build protobufs in Go, easily
Go
122
star
19

fifo

fifo pkg for Go
Go
86
star
20

project

Cross-project utilities, scripts, etc.
Shell
72
star
21

btrfs

Btrfs bindings for Go
Go
68
star
22

zfs

ZFS snapshotter plugin for containerd
Go
64
star
23

typeurl

Go package for managing marshaled types to protobuf.Any
Go
49
star
24

containerd.io

Website repo for https://containerd.io
JavaScript
37
star
25

fuse-overlayfs-snapshotter

fuse-overlayfs plugin for rootless containerd
Go
37
star
26

release-tool

A release tool for generating detailed release notes
Go
34
star
27

aufs

AUFS Snapshotter for containerd
Go
26
star
28

ltag

Prepends project files with given template.
Go
16
star
29

project-checks

This cross-project repository holds utilities, scripts, and common files used across the containerd master project and many sub-projects within the containerd organization
Shell
5
star