Three months ago we launched Docker Content Trust, integrating the guarantees from The Update Framework (TUF) into Docker using Notary, an open source tool that provides trust over any content.
Today we’re incredibly excited to announce the support of hardware based signing in notary and Docker experimental.
To use hardware signing, you need to install docker experimental. For all of you mac users out there, we created a special Docker Tool Box just for this event that comes with everything you need installed.
The Yubikey 4 is Yubico’s new flagship product, featuring a completely new hardware and software stack, allowing Docker to integrate seamlessly provide the best security for Docker image signing.
If you want to increase the security of your Docker images, enable Docker Content Trust, get yourself a Yubikey 4 and sign away.
The quickest way to get started with hardware signing is by downloading the docker experimental binary that comes with the DockerCon 2015 Demo Toolbox: docker-x
After it’s installed, you can plug-in your Yubikey to a USB port and generate yourself a Docker Content Trust root key.
Make sure that the key actually made it to both the Yubikey and your local private key directory by using notary key list.
See those two keys in the listing? It means that you now both have a root key stored in your private folder (encrypted at rest) and inside of the yubikey.
WARNING: Make sure to backup your root key to a secure offline location. The loss of a root key is irrecoverable. You can backup your keys with notary key backup.
Now that we have our root key generated inside of the yubikey, we can generate keys for our first repository and push our first signed image!
And that is it. Everyone in the world that has Docker Content Trust enabled can now securely download your content.
More details on how to use Docker Content Trust to sign your images can be found here. if you want more information on notary, check out the notary docs here.
Learn More about Docker
- New to Docker? Try our 10 min online tutorial
- Share images, automate builds, and more with a free Docker Hub account
- Read the Docker 1.9 Release Notes
- Subscribe to Docker Weekly
- Register for upcoming Docker Online Meetups
- Attend upcoming Docker Meetups
- Register for DockerCon 2015 Europe
- Start contributing to Docker
Feedback
5 thoughts on "Docker Content Trust Gets Hardware Signing"