Secure your Docker images With Notary and Yubikey Dr. Udo Seidel
Agenda Introduction The Update Framework Notary Yubikey Getting started Summary
Me :-) Teacher of mathematics and physics PhD in experimental physics Started with Linux in 1996 With Amadeus since 2006 Before: Linux/UNIX trainer Solution Engineer in HPC and CAx environment Now: Architecture & Technical Governance
Introduction
Docker for Dummies Set of Libraries Executables Other files Very image-based Separation via several namespaces
Docker work-flow $ docker pull $ docker run/start/stop/... $ docker commit/create/... $ docker push
Docker security Host Docker Daemon Docker Image Docker Instance
Docker work-flow security Store Upload Download Run
The Update Framework
Link to software management Source Target Download Content
Basic idea Plugin architecture Easier integration Easier to expand Digital signatures Proven technology Key management is crucial Meta data
Meta-Data Enhanced security Whom to trust Version system Cryptographic checksums Enhanced role model Delegation Separation of duties
TUF Roles I Root Delegates trust Uses keys Target What is trusted by clients Can delegate too
TUF Roles II Snapshot (latest) version of meta data Update info for clients Timestamp Prevent out-of-data attacks Keys kept online Mirror Optional
The two aspects of TUF Several implementations Python Ruby Haskell... Go :-) Specification!
Notary
Notary and TUF Go implementation Base of Docker Content Trust Not limited to docker
High level architecture Client-Server model 3 server components Server Signer Database TCP/IP based communication TLS possible... mandatory
High level architecture
Notary Server PoC for client REST API Port Default: 443 or 4443 Configurable Client need to know
Notary Signer Cryptographic operations Data store Database Memory PKCS#11 via softhsm2 Ports 4444 for HTTP 7899 for GRPC
Notary Database ATM: MySQL only Standard port: 3306 3 tables Private keys Timestamp keys Meta data
Roles and keys TUF specification 4 different roles See TUF before Mirror droped Keys per role Data format: JSON
Root The base/start/entry point Two kinds Global Local Like root-ca in SSL/TLS world
Target Main user interaction Corresponds to file, directory, repository Meta data Files File sizes Default validity: 3 years BASE64 coded SHA256 checksums Signed by target role
Snapshot Management of root target.json Consistent view of software repository Meta Data Files File sizes Default validity: 3 years BASE64 coded SHA256 checksums Signed by Snapshot role
Timestamp Management of snapshot.json Meta Data File File size Default validity: 14 days BASE64 coded SHA256 checksums Signed by Timestamp role Key stored on server only
The client notary $HOME/.notary/
Docker Content Trust (DCT) Since Engine version 1.8 Notary: foundation but 'hidden'
Docker Content Trust Interaction via docker Mixed repository content (De-)Activation $ DOCKER_CONTENT_TRUST=0 1 $ disable content trust=true false
Yubikey
Secure your (root) keys See root CA keys for SSL Secure and mobile How? Encrypted $HOME Encrypted USB sticks??? => Yubikey (4)
Yubikey 4 Personal Identity Verification Two-Factor-Authentication Different Standards Here: FIDO and U2F One-Time-Passwords Chip Card Interface Device
Yubikey-PIV and Docker/Notary Notary root key Storage 4 in total In addition to $HOME Access Docker-Speak Changing content of repository New/change docker images
Yubikey-U2F and Docker/Notary Enhance security Generation of root keys Access to root keys Humans no machines/robots Fine for manual tasks
Universal 2 Factor Authentication
Yubikey in Docker action
Yubikey 4 Beyond Docker Github Dropbox Gmail Google apps Disk encryption
Getting Started
Getting Started Notary (easy) Use official Docker Hub image :-) TLS quite tricky Drop docker and use notary Yubikey optional
Getting Started Notary (less easy) Setup GO build environment Download and compile notary Configure and startup Manually Via Docker Compose TLS quite tricky Yubikey optional
Getting Started Yubikey (easy) Yubikey mandatory :-) Test Repo on Docker Hub Enable DCT Insert Yubikey before pcscd $ docker pull/push
Getting Started Yubikey (less easy) Yubikey mandatory Setup own Registry Setup Notary (see before) Enable DCT Insert Yubikey before pcscd $ docker pull/push
Summary
Take Aways Good start Early days Only Docker Image security What is next? Other Yubikey functions? Other Tokens?
References http://www.docker.com http://theupdateframework.com http://www.yubico.com/docker http://github.com/docker/notary http://docs.docker.com/engine/security/trust
Thank you!
Secure your Docker images Linux?!? With Notary and Yubikey Dr. Udo Seidel