Home > Blockchain >  Build an encrypted Docker container via Azure DevOps
Build an encrypted Docker container via Azure DevOps

Time:03-17

I have a pipeline in Azure DevOps that build a container and push it in my Azure Container Registry.

# Docker
# Build and push an image to Azure Container Registry
# https://docs.microsoft.com/azure/devops/pipelines/languages/docker

trigger:
- main

resources:
- repo: self

variables:
  # Container registry service connection established during pipeline creation
  dockerRegistryServiceConnection: 'myguyd'
  imageRepository: 'p2005'
  containerRegistry: 'myacr.azurecr.io'
  dockerfilePath: '$(Build.SourcesDirectory)/api/DOCKERFILE'
  tag: '$(Build.BuildId)'

  # Agent VM image name
  vmImageName: 'ubuntu-latest'

stages:
- stage: Build
  displayName: Build and push stage
  jobs:
  - job: Build
    displayName: Build
    pool:
      vmImage: $(vmImageName)
    steps:
    - task: Docker@2
      displayName: Build and push an image to container registry
      inputs:
        command: buildAndPush
        repository: $(imageRepository)
        dockerfile: $(dockerfilePath)
        containerRegistry: $(dockerRegistryServiceConnection)
        tags: latest

In the container I also have some raw data file that the application needs. In the security point of view, it is not great to have the raw data in the container.

So, I was thinking if there is a way to encrypt the Docker container. And if so, how to do it in the Azure pipeline.

CodePudding user response:

I don't know there is way to encrypt via Azure pipeline. If you're using AKS by chance, you can take a look at this.

https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-containers

CodePudding user response:

You should add confidential data at runtime. For example, you could mount the data when running the container.

Depending on how big your data is, you could also use env variables for this. Maybe base64 encoded to make it easier to work with. Then you inject the env variable when you start the container.

Even if you encrypt the data, somehow your application needs to decrypt the data again. You essentially have the same problem as before. Where do you store the decryption key? Best practice is to inject it via environment variable, similar to the before mentioned suggestion.

If you really want to opt for encryption and key injection, you have multiple options to do this. GPG for example is commonly used for such things, but there are of course also other means. In that case, you would probably encrypt only the data and not the whole filesystem of the image.

  • Related