I have a pipeline in Azure DevOps that build a container and push it in my Azure Container Registry.
# Docker
# Build and push an image to Azure Container Registry
# https://docs.microsoft.com/azure/devops/pipelines/languages/docker
trigger:
- main
resources:
- repo: self
variables:
# Container registry service connection established during pipeline creation
dockerRegistryServiceConnection: 'myguyd'
imageRepository: 'p2005'
containerRegistry: 'myacr.azurecr.io'
dockerfilePath: '$(Build.SourcesDirectory)/api/DOCKERFILE'
tag: '$(Build.BuildId)'
# Agent VM image name
vmImageName: 'ubuntu-latest'
stages:
- stage: Build
displayName: Build and push stage
jobs:
- job: Build
displayName: Build
pool:
vmImage: $(vmImageName)
steps:
- task: Docker@2
displayName: Build and push an image to container registry
inputs:
command: buildAndPush
repository: $(imageRepository)
dockerfile: $(dockerfilePath)
containerRegistry: $(dockerRegistryServiceConnection)
tags: latest
In the container I also have some raw data file that the application needs. In the security point of view, it is not great to have the raw data in the container.
So, I was thinking if there is a way to encrypt the Docker container. And if so, how to do it in the Azure pipeline.
CodePudding user response:
I don't know there is way to encrypt via Azure pipeline. If you're using AKS by chance, you can take a look at this.
https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-containers
CodePudding user response:
You should add confidential data at runtime. For example, you could mount the data when running the container.
Depending on how big your data is, you could also use env variables for this. Maybe base64 encoded to make it easier to work with. Then you inject the env variable when you start the container.
Even if you encrypt the data, somehow your application needs to decrypt the data again. You essentially have the same problem as before. Where do you store the decryption key? Best practice is to inject it via environment variable, similar to the before mentioned suggestion.
If you really want to opt for encryption and key injection, you have multiple options to do this. GPG for example is commonly used for such things, but there are of course also other means. In that case, you would probably encrypt only the data and not the whole filesystem of the image.