IBM Research has announced two container-based open-source projects — Encrypted Container Images and Trusted Service Identity — to enable confidentiality of code and data.
- Encrypted Container Images protects the confidentiality of the workload/code by extending the OCI (Open Container Initiative) container image specification with +encrypted media types, which allows developers to encrypt container images so that they can only be decrypted by authorized parties (developers, clusters, machines, etc.).
- This ensures that the workload stays encrypted from build to run-time. Without the appropriate key, even in the event of the registry compromise, the content of the image remains confidential.
- Trusted Service Identity protects sensitive data access by ensuring only attested services are able to obtain credentials.
- This is done through the use of workload identity, composed of various run-time measurements like the image and cluster name, data center location, etc, to identify the application.
According to IBM, these measurements are securely signed by a service running on every hosting node, using a chain of trust installed during the secure bootstrapping of the environment.