Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to docker_notary_v1.0.0


Published on

Securing delivery of docker images via Docker Notary and Docker Content Trust

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Introduction to docker_notary_v1.0.0

  1. 1. Introduction to Docker Notary Service Anshul Patel Software Developer at Day Software Debugger at Night
  2. 2. What is Digital Signature? (Ref: )
  3. 3. What and Why Notary? ● Provides high levels of trust over digital content via signatures. ● Ensures that provenance of the digital content. ● Guarantees consistency of digital content in software supply chain. ● Creates, manages, and distributes necessary metadata to ensure the integrity and freshness of your content. ● Notary is hosted by mighty CNCF (Cloud Native Computing Foundation). ● Notary is implementation of The Update Framework (TUF).
  4. 4. But.. Why do we require it? ● Attacker(s) keeps giving you the same update file. ● Attacker(s) provides older insecure update. ● Attacker(s) spoofs the new version of file. ● Attacker(s) compromises the key used to sign these files
  5. 5. Notary Service Architecture ● Clients ● Notary Server ● Notary Server DB ● Notary Signer ● Notary Signer DB (Ref: )
  6. 6. Notary Server ● Ensures that any uploaded metadata is valid, signed, and self-consistent. ● Generates the timestamp (and sometimes snapshot) metadata. ● Servers the latest valid metadata for any trusted collection to the clients.
  7. 7. Notary Signer ● Stores the private signing keys wrapped and encrypted using Javascript Object Signing and Encryption. ● Performs signing operations with the above keys whenever the Notary server requests.
  8. 8. Notary Service HA (Ref: ated-information)
  9. 9. What and Why Docker Content Trust? ● Part of Docker Daemon Engine. ● Trust is enabled via integration of Notary into Docker Engine. ● When images are pushed to a repository, they are signed with private keys held by the content publisher. ● When a user interacts with the image for the first time, they establish trust with that publisher and then all subsequent interactions require a valid signature verification from that same publisher. ● Protects from image forgery, replay attacks, key compromise. (Ref:
  10. 10. Docker Content Trust (Ref:
  11. 11. Key Keys (Pun Intended) for Docker Content Trust ● The Tagging Key: ○ Generated for each new repository the publisher owns. ○ Exported and shared with any person/system that needs the ability to sign content for this repository. ● The Offline/Root Key: ○ Most import key, forms trust of your repository. ○ Different repositories can use the same Offline key. ○ Required for creating a new repository key or rotating an existing key. ○ Should be kept offline for security.
  12. 12. Who uses Notary? ● Cloudflare ● Kolide ● IBM ● Docker Hub ● Compatible with Artifactory ● Financial, Telecom and Healthcare Enterprises.
  13. 13. Demo
  14. 14. Thanks and Questions ? Resource: