Docker Content Trust Gets Hardware Signing

Nov 16 2015

Three months ago we launched Docker Content Trust, integrating the guarantees from The Update Framework (TUF) into Docker using Notary, an open source tool that provides trust over any content.

Today we’re incredibly excited to announce the support of hardware based signing in notary and Docker experimental.


image04 We launched hardware signing in Notary today at DockerCon EU 2015, where we gave developers the power to be secure content publishers by providing a free Yubikey 4 to every single attendee.

To use hardware signing, you need to install docker experimental. For all of you mac users out there, we created a special Docker Tool Box just for this event that comes with everything you need installed.

The Yubikey 4 is Yubico’s new flagship product, featuring a completely new hardware and software stack, allowing Docker to integrate seamlessly provide the best security for Docker image signing.

If you want to increase the security of your Docker images, enable Docker Content Trust, get yourself a Yubikey 4 and sign away.

The quickest way to get started with hardware signing is by downloading the docker experimental binary that comes with the DockerCon 2015 Demo Toolbox: docker-x

After it’s installed, you can plug-in your Yubikey to a USB port and generate yourself a Docker Content Trust root key.


Make sure that the key actually made it to both the Yubikey and your local private key directory by using notary key list.


See those two keys in the listing? It means that you now both have a root key stored in your private folder (encrypted at rest) and inside of the yubikey.

WARNING: Make sure to backup your root key to a secure offline location. The loss of a root key is irrecoverable. You can backup your keys with notary key backup.

Now that we have our root key generated inside of the yubikey, we can generate keys for our first repository and push our first signed image!


And that is it. Everyone in the world that has Docker Content Trust enabled can now securely download your content.

More details on how to use Docker Content Trust to sign your images can be found here. if you want more information on notary, check out the notary docs here.


Learn More about Docker



5 thoughts on "Docker Content Trust Gets Hardware Signing"

DockerCon 2022

Registration is now open for DockerCon 2022! Join us for this free, immersive online experience complete with product demos, breakout learning tracks, panel discussions, hacks & tips, deep dive technical sessions, and much more.

Register Now