Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Nydus boostrap layer encryption and decryption #479

Merged
merged 3 commits into from
Jun 6, 2023
Merged

Support Nydus boostrap layer encryption and decryption #479

merged 3 commits into from
Jun 6, 2023

Conversation

taoohong
Copy link
Contributor

Use ocicrypt to support encryption and decryption of nydus boostrap layer.

@taoohong
feat: support convertion to encrypted nydus image
6542781 
When converting to nydus image, encrypt the bootstrap layer.

Signed-off-by: taohong <[email protected]>
@taoohong taoohong force-pushed the nydus-encryption branch from fd42796 to 9b29f13 Compare May 15, 2023 02:52
@codecov
Copy link

codecov bot commented May 15, 2023
edited
Loading

Codecov Report

Merging #479 (5a18147) into main (70599d9) will not change coverage.
The diff coverage is n/a.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #479   +/-   ##
=======================================
  Coverage   37.31%   37.31%           
=======================================
  Files          59       59           
  Lines        6960     6960           
=======================================
  Hits         2597     2597           
  Misses       4052     4052           
  Partials      311      311

@taoohong taoohong changed the title Nydus boostrap layer encryption and decryption Support Nydus boostrap layer encryption and decryption May 15, 2023
imeoer
imeoer reviewed May 15, 2023
View reviewed changes
go.mod Show resolved Hide resolved
pkg/converter/convert_unix.go Show resolved Hide resolved
pkg/converter/convert_unix.go Outdated Show resolved Hide resolved
pkg/converter/convert_unix.go Outdated Show resolved Hide resolved
pkg/converter/encryption.go Outdated Show resolved Hide resolved
pkg/converter/encryption.go Show resolved Hide resolved
pkg/converter/encryption.go Show resolved Hide resolved
@adamqqqplay
Copy link
Contributor

@taoohong Hi, could you please add some unit tests to your code? Especially the newly added file pkg/converter/encryption.go, thanks in advance.

@taoohong
encryption: support multiple encryption recipients when conversion
ae4a443 
Update encryptRecipients from string to []string,
support multiple encryption recipients when conversion.

Signed-off-by: taohong <[email protected]>
@taoohong taoohong force-pushed the nydus-encryption branch from 9b29f13 to ae4a443 Compare May 15, 2023 11:49
@changweige
Copy link
Member

Could you please share some background information on this feature and its potential users or use cases to help us understand its necessity? How could we consume the package?

changweige
changweige reviewed May 16, 2023
View reviewed changes
go.mod Outdated Show resolved Hide resolved
@taoohong
Copy link
Contributor Author

taoohong commented May 16, 2023
edited
Loading

Could you please share some background information on this feature and its potential users or use cases to help us understand its necessity? How could we consume the package?

Data security has become an important topic in the field of cloud computing. When users no longer trust CSPs, the confidentiality and integrity of user image must be guaranteed. A typical application scenario is confidential containers, where Nydus supports image encryption to address the need for users to accelerate encrypted images. This patch is only one aspect of Nydus' support for image encryption, as it only encrypts metadata. There are other subsequent patches that support chunk-level encryption of data blobs, ultimately achieving Nydus' support for encrypted images.
How to use this? For example:
nydusify convert --source busybox --target localhost:5000/busybox:nydus-enc --encrypt-recipients jwe:/etc/pubkey.pem
nydusify check --target localhost:5000/busybox:nydus-enc --decrypt-keys /etc/key.pem
It's amost the same in acceld/nerdctl, users can add encrypt & decrypt options to configuration file to do this.

@taoohong
Copy link
Contributor Author

@taoohong Hi, could you please add some unit tests to your code? Especially the newly added file pkg/converter/encryption.go, thanks in advance.

done

@adamqqqplay
Copy link
Contributor

Could you please share some background information on this feature and its potential users or use cases to help us understand its necessity? How could we consume the package?

Data security has become an important topic in the field of cloud computing. When users no longer trust CSPs, the confidentiality and integrity of user image must be guaranteed. A typical application scenario is confidential containers, where Nydus supports image encryption to address the need for users to accelerate encrypted images. This patch is only one aspect of Nydus' support for image encryption, as it only encrypts metadata. There are other subsequent patches that support chunk-level encryption of data blobs, ultimately achieving Nydus' support for encrypted images. How to use this? For example: nydusify convert --source busybox --target localhost:5000/busybox:nydus-enc --encrypt-recipients jwe:/etc/pubkey.pem nydusify check --target localhost:5000/busybox:nydus-enc --decrypt-keys /etc/key.pem It's amost the same in acceld/nerdctl, users can add encrypt & decrypt options to configuration file to do this.

Maybe we could add some docs later to introduce this new feature.

@imeoer
Copy link
Collaborator

imeoer commented May 22, 2023

How do we support the blob layer encryption and decryption later?

@taoohong
Copy link
Contributor Author

taoohong commented May 22, 2023
edited
Loading

How do we support the blob layer encryption and decryption later?

JiaNan Huang is working on this. XD

@taoohong
tests: add test for Nydus bootstrap encryption
5a18147 
Add testImageConvertWithCrypt to test Nydus bootstrap
encryption and decryption.

Signed-off-by: taohong <[email protected]>
@taoohong taoohong force-pushed the nydus-encryption branch from 17f5aa0 to 5a18147 Compare June 5, 2023 07:23
imeoer
imeoer approved these changes Jun 6, 2023
View reviewed changes
Copy link
Collaborator

@imeoer imeoer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@imeoer imeoer merged commit 8fc731a into containerd:main Jun 6, 2023
@taoohong taoohong mentioned this pull request Jun 20, 2023
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@changweige changweige changweige left review comments

@imeoer imeoer imeoer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@taoohong @adamqqqplay @changweige @imeoer