Isolation in Docker through Layer Encryption
Ioannis Giannakopoulos, Konstantinos Papazafeiropoulos, Katerina Doka and Nectarios Koziris
National Technical University of Athens, National Technical University of Athens, National Technical University of Athens, National Technical University of Athens

Containers are constantly gaining ground in the virtualization landscape as a lightweight and efficient alternative to hypervisor-based Virtual Machines, with Docker being the most successful representative. Docker relies on union-capable file systems, where any action performed to a base image is captured as a new file system layer. This strategy allows developers to easily pack applications into Docker image layers and distribute them via public registries. However, this image creation and distribution strategy does not protect sensitive data from malicious privileged users (e.g., registry administrator, cloud provider), since encryption is not natively supported. We propose and demonstrate a mechanism for secure Docker image manipulation throughout its life cycle: The creation, storage and usage of a Docker image is backed by a data-at-rest mechanism, which maintains sensitive data encrypted on disk and encrypts/decrypts them on-the-fly in order to preserve their confidentiality at all times, while the distribution and migration of images is enhanced with a mechanism that encrypts only specific layers of the file system that need to remain confidential and ensures that only legitimate key holders can decrypt them and reconstruct the original image. Through a rich interaction with our system the audience will experience first-hand how sensitive image data can be safely distributed and remain encrypted at the storage device throughout the container's lifetime, bearing only a marginal performance overhead.