Container Isolation component preserves confidentiality of sensitive data in a containerized virtual environment. By exploiting Docker’s layered filesystem users can securely manipulate images throughout their life cycle. The component can secure both data on disk, by encrypting/decrypting on the fly, and data migration by enhancing the image distribution process.
A layered filesystem provides a flexible mechanism for easy versioning and efficient distribution of container images. However, current systems do not protect sensitive data from malicious privileged users, since encryption is not natively supported. Container Isolation component adds to the benefits of such a filesystem by providing data isolation in a Docker virtual environment. Our system offers transparent mechanisms to secure sensitive data by adding encryption/decryption capabilities to the image creation and distribution process.
Our solution relies on the underlying union filesystem to provide encryption/decryption for data-at-rest and data-on-the-move in Docker containers. The data-on-the-move module encrypts and distributes securely the sensitive layers of a Docker image (fig.2): the public parts-layers of an image are pulled from the Docker image registry but the topmost layers with the sensitive data are transferred in encrypted form and are decrypted in the destination. The data-at-rest module encrypts/decrypts on-the-fly sensitive on-disk data, transparently for the user: the corresponding layer is mapped to an encrypted volume leveraging inherent mechanisms of different Cloud Computing platforms.
Containers are constantly gaining ground in virtualization as a lightweight/efficient alternative to hypervisor-based VMs, with Docker being a popular representative. In virtual environments (ie. Cloud Computing platforms), where multiple users are occupying shared resources, confidentiality of user data is important. We provide a mechanism to securely manage Docker images with sensitive data in such environments.