Last week we presented a live webinar on How to Build a Basic Edge Cloud. One of the topics that drew the most attention was container security, so we wanted to bring you this white paper which we published jointly with Intel, Secure the IoT Edge with Trusted Docker Containers.
Deploying applications to the edge requires special attention to security to prevent the compromise of end devices. Mirantis has partnered with Intel to secure the last mile in Docker Enterprise Platform to hardware primitives in Trusted Platform Module (TPM), leveraging Intel Platform Trust Technology (Intel PTT).
Some of the key steps we have taken to supply hardened enterprise security for trusted containers for our customers deploying at the edge include:
- Security in transit: Docker Enterprise leverages the trusted platform module to create credentials and generate key pairs for secure connection to enterprise infrastructure.
- Security at rest: The Docker Enterprise platform makes use of disk encryption to protect images in an encrypted volume, backed by keys in TPM.
- Node integrity: Security services tied to Docker Engine and to secure boot use a secure cryptoprocessor such as a Trusted Platform Module (TPM) to measure container infrastructure files and prevent compromised files and data from being accessed.
- Image integrity: In the Docker Trusted Registry, images are signed prior to delivery to end devices. Once the image is received in the end device, Docker Content Trust verifies image integrity.
- Node attestation: Critical Docker infrastructure is measured against the Integrity Measurement Architecture and chained to the integrity of the Secure Boot flow, and can be attested by a remote verifier.
- Registry authentication: Docker Trusted Registry authenticates the device identify with credentials stored in a TPM.
All of these features enhance the Docker Enterprise Platform and provide the foundational capabilities required to extend the secure deployment of apps to the Edge and IOT.
Interested in more details about how this all works? Please download the white paper.