KBS provides a simple cluster defined by docker-compose
, include itself, Attestation Service, Reference Value Provider Service and CoCo Keyprovider
Users can use very simple command to:
- launch KBS service.
- encrypt images.
Generate a user auth key pair
cd $KBS
openssl genpkey -algorithm ed25519 > config/private.key
openssl pkey -in config/private.key -pubout -out config/public.pub
Run the cluster
docker-compose up -d
Then the kbs cluster is launched.
Use skopeo
to encrypt an image
# edit ocicrypt.conf
tee > ocicrypt.conf <<EOF
{
"key-providers": {
"attestation-agent": {
"grpc": "127.0.0.1:50000"
}
}
}
EOF
# encrypt the image
OCICRYPT_KEYPROVIDER_CONFIG=ocicrypt.conf skopeo copy --insecure-policy --encryption-key provider:attestation-agent docker://busybox oci:busybox_encrypted
The image will be encrypted, and things happens in the background include:
CoCo Keyprovider
generates a random KEK and a key id. Then encrypts the image using the KEK.CoCo Keyprovider
registers the KEK with key id into KBS.
If use the same KBS for key brokering, the image can be decrypted.