Docker Content Trust

This definition is part of our Essential Guide: Virtual container technology options for management, security

Docker Content Trust is a security feature for Docker containers. Content Trust, which uses cryptographic keys to ensure container images and their publisher are not comprised, became available with the release of Docker Engine 1.8 in August 2015.

To verify Docker images and their publisher, Docker Content Trust uses private and public cryptographic keys, a method of storing and transmitting data in a particular format so that only authorized parties can access and read it. With Content Trust, Docker images -- the container files that hold application components and content -- are signed with their creator's, or publisher's, private key before that image is sent to the Docker repository.

When another IT team member goes to use that image, Content Trust uses its publisher's public key to verify that the image is the latest version and hasn't been compromised. As software developers update or change an image, the cryptographic signature continues to ensure that the content is original and from a trusted source.

Docker Content Trust uses up to four different kinds of keys to secure content:

Target and Snapshot Keys: These two keys combined are known as the "repository key," which is made for each new repository the publisher owns and can be shared with any user who needs to be able to digitally sign off on content.

Offline Key: This key serves as the root of trust for the repository and the same key can be used for multiple repositories. This key should be kept offline to protect from threats.

Timestamp Key: This key is used when content is added or removed from the repository and is meant to prevent replay attacks, which are when users run signed, but expired, content.

Docker Content Trust is based on the open source tool Notary, along with The Update Framework (TUF), a design framework for securing software update systems.

Content Trust is one of several container features from Docker, whose headquarters are in San Francisco, Calif. Content Trust is used primarily by developers and IT system administrators.

This was last updated in November 2015

Continue Reading About Docker Content Trust



Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How has Docker Content Trust improved your container security?


File Extensions and File Formats

Powered by: