github.com/containerd/nerdctl@v1.7.7/docs/ocicrypt.md (about) 1 # OCIcrypt 2 3 | :zap: Requirement | nerdctl >= 0.7 | 4 |-------------------|----------------| 5 6 nerdctl supports encryption and decryption using [OCIcrypt](https://github.com/containers/ocicrypt) 7 (aka [imgcrypt](https://github.com/containerd/imgcrypt) for containerd). 8 9 ## JWE mode 10 11 ### Encryption 12 13 Use `openssl` to create a private key (`mykey.pem`) and the corresponding public key (`mypubkey.pem`): 14 ```bash 15 openssl genrsa -out mykey.pem 16 openssl rsa -in mykey.pem -pubout -out mypubkey.pem 17 ``` 18 19 Use `nerdctl image encrypt` to create an encrypted image: 20 ```bash 21 nerdctl image encrypt --recipient=jwe:mypubkey.pem --platform=linux/amd64,linux/arm64 foo example.com/foo:encrypted 22 nerdctl push example.com/foo:encrypted 23 ``` 24 25 :warning: CAUTION: This command only encrypts image layers, but does NOT encrypt [container configuration such as `Env` and `Cmd`](https://github.com/opencontainers/image-spec/blob/v1.0.1/config.md#example). 26 To see non-encrypted information, run `nerdctl image inspect --mode=native --platform=PLATFORM example.com/foo:encrypted` . 27 28 ### Decryption 29 30 #### Configuration 31 Put the private key files to `/etc/containerd/ocicrypt/keys` (for rootless `~/.config/containerd/ocicrypt/keys`). 32 33 <details> 34 <summary>Extra step for containerd 1.4 and older</summary> 35 36 <p> 37 38 containerd 1.4 and older requires adding the following configuration to `/etc/containerd/config.toml` 39 (for rootless `~/.config/containerd/config.toml`): 40 41 ```toml 42 version = 2 43 44 [stream_processors] 45 [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"] 46 accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"] 47 returns = "application/vnd.oci.image.layer.v1.tar+gzip" 48 path = "ctd-decoder" 49 args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"] 50 [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"] 51 accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"] 52 returns = "application/vnd.oci.image.layer.v1.tar" 53 path = "ctd-decoder" 54 args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"] 55 56 # NOTE: On rootless, ~/.config/containerd is mounted as /etc/containerd in the namespace. 57 ``` 58 59 </p> 60 61 </details> 62 63 #### Running nerdctl 64 65 No flag is needed for running encrypted images with `nerdctl run`, as long as the private key is stored 66 in `/etc/containerd/ocicrypt/keys` (for rootless `~/.config/containerd/ocicrypt/keys`). 67 68 Just run `nerdctl run example.com/encrypted-image`. 69 70 To decrypt an image without running a container, use `nerdctl image decrypt` command: 71 ```bash 72 nerdctl pull --unpack=false example.com/foo:encrypted 73 nerdctl image decrypt --key=mykey.pem example.com/foo:encrypted foo:decrypted 74 ``` 75 76 ## PGP (GPG) mode 77 (Undocumented yet) 78 79 ## PKCS7 mode 80 (Undocumented yet) 81 82 ## PKCS11 mode 83 (Undocumented yet) 84 85 ## More information 86 - https://github.com/containerd/imgcrypt (High-level library for containerd, using `containers/ocicrypt`) 87 - https://github.com/containers/ocicrypt (Low-level library, used by `containerd/imgcrypt`) 88 - https://github.com/opencontainers/image-spec/pull/775 (Proposal for OCI Image Spec) 89 - https://github.com/containerd/containerd/blob/main/docs/cri/decryption.md (configuration guide) 90 - The `plugins."io.containerd.grpc.v1.cri"` section does not apply to nerdctl, as nerdctl does not use CRI