Skip to content

Latest commit

 

History

History
54 lines (40 loc) · 1.48 KB

cluster.md

File metadata and controls

54 lines (40 loc) · 1.48 KB

KBS Cluster

KBS provides a simple cluster defined by docker-compose, include itself, Attestation Service, Reference Value Provider Service and CoCo Keyprovider

Users can use very simple command to:

  • launch KBS service.
  • encrypt images.

Architecture

Start-Up

Generate a user auth key pair

cd $KBS
openssl genpkey -algorithm ed25519 > config/private.key
openssl pkey -in config/private.key -pubout -out config/public.pub

Run the cluster

docker-compose up -d

Then the kbs cluster is launched.

Use skopeo to encrypt an image

# edit ocicrypt.conf
tee > ocicrypt.conf <<EOF
{
    "key-providers": {
        "attestation-agent": {
            "grpc": "127.0.0.1:50000"
        }
    }
}
EOF

# encrypt the image
OCICRYPT_KEYPROVIDER_CONFIG=ocicrypt.conf skopeo copy --insecure-policy --encryption-key provider:attestation-agent docker://busybox oci:busybox_encrypted

The image will be encrypted, and things happens in the background include:

  • CoCo Keyprovider generates a random KEK and a key id. Then encrypts the image using the KEK.
  • CoCo Keyprovider registers the KEK with key id into KBS.

If use the same KBS for key brokering, the image can be decrypted.