Docker Content Trust steps up container security

Docker Content Trust steps up container security

Docker Content Trust seeks to provide a standard security framework for Docker images, via open source key-sharing

As Docker has matured, it's grappled with the security issues that come with containers. Of late, Docker has concentrated on how to certify the contents of a given container.

Its latest push in this area, Docker Content Trust, provides a way for users of containerized apps to ensure that the container's publisher and content are who they say they are. Content Trust also makes this verification a standard mechanism, at least when Docker's content-delivery infrastructure (such as Docker Hub) is concerned.

Docker Content Trust works by making sure containers are signed by their creators before they're publicly available, with the signatures verifiable by users. Two keys are used in the process: a per-repository key, for signing Docker images (available online), and a root key to create new per-repository keys (kept offline).

With this two-key mechanism, it's more difficult to forge signatures since an attacker would need access to both keys to pull off the feat. If a per-repository key were to be stolen, the publisher would be able to generate a new one with the root key.

This key-signing system is built using an existing Docker project, Notary. Close integration with the Docker Engine means common actions for containers can be constrained only to use signed content. (Docker 1.8, the latest release, includes these features, though they're disabled by default.)

Docker security lead Diego Monica explained in a phone call that Docker's main rationale for doing this is to "raise the bar for trusted delivery of content" and to "have a base layer of security for trusted content that is open source and audited by the community, and enables everyone else to build on top of the Docker platform."

These first steps with Content Trust involve leading by example; it's positioned as the standard for delivering trusted content through Docker's official repositories -- but as an opt-in mechanism at first. if you're deploying via a private repository, you can also use Docker Content Trust to sign content, though without dependencies on external sources of trust.

In the past, the company heralded its "batteries included, but optional" approach to its product design. While recommended practices are available in Docker by default, it's not the only path.

But with security -- especially a security process, rather than a pluggable behavior -- Docker may not have a choice but to be opinionated. That said, the company claims to have received deeply positive feedback from its community over Content Trust.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags virtualizationapplication virtualizationDocker



Join key decision-makers within Environmental, Social, and Governance (ESG) that have the power to affect real change and drive sustainable practices. SustainTech will bridge the gap between ambition and tangible action, promoting strategies that attendees can use in their day-to-day operations within their business.

EDGE 2023

EDGE is the leading technology conference for business leaders in Australia and New Zealand, built on the foundations of collaboration, education and advancement.


ARN has celebrated gender diversity and recognised female excellence across the Australian tech channel since first launching WIICTA in 2012, acknowledging the achievements of a talented group of female front runners who have become influential figures across the local industry.

ARN Innovation Awards 2023

Innovation Awards is the market-leading awards program for celebrating ecosystem innovation and excellence across the technology sector in Australia.

Show Comments