通过 Azure DevOps 构建一个加密的 Docker 容器

Question

I have a pipeline in Azure DevOps that build a container and push it in my Azure Container Registry.

# Docker
# Build and push an image to Azure Container Registry
# https://learn.microsoft.com/azure/devops/pipelines/languages/docker

trigger:
- main

resources:
- repo: self

variables:
  # Container registry service connection established during pipeline creation
  dockerRegistryServiceConnection: 'myguyd'
  imageRepository: 'p2005'
  containerRegistry: 'myacr.azurecr.io'
  dockerfilePath: '$(Build.SourcesDirectory)/api/DOCKERFILE'
  tag: '$(Build.BuildId)'

  # Agent VM image name
  vmImageName: 'ubuntu-latest'

stages:
- stage: Build
  displayName: Build and push stage
  jobs:
  - job: Build
    displayName: Build
    pool:
      vmImage: $(vmImageName)
    steps:
    - task: Docker@2
      displayName: Build and push an image to container registry
      inputs:
        command: buildAndPush
        repository: $(imageRepository)
        dockerfile: $(dockerfilePath)
        containerRegistry: $(dockerRegistryServiceConnection)
        tags: latest

In the container I also have some raw data file that the application needs. In the security point of view, it is not great to have the raw data in the container.

So, I was thinking if there is a way to encrypt the Docker container. And if so, how to do it in the Azure pipeline.

Answer 1

I don't know there is a way to encrypt via the Azure pipeline. If you're using AKS by chance, you can take a look at Confidential Computing .

A hardware-based Trusted Execution Environment (TEE) provides strong assurances. A TEE provides hardware and software measurements from trusted computing base (TCB) components. Confidential containers offerings on Azure allow verification of these measurements and validate if the container applications run in a verifiable execution environment.

Confidential containers support custom applications developed with any programming languages. You can also run Docker containers off the shelf.

You can achieve this with Intel SGX and AKS.

To run an existing Docker container, applications on confidential computing nodes require an abstraction layer or Intel Software Guard Extensions (SGX) software to use the special CPU instruction set. Configure SGX to protect your sensitive application code. SGX creates a direct execution to the CPU to remove the guest operating system (OS), host OS, or hypervisor from the trust boundary. This step reduces the overall surface attack areas and vulnerabilities.

Azure Kube.netes Service (AKS) fully supports confidential containers. You can run existing containers confidentially on AKS.