lumjjb · September 25, 2019 22:56
diff --git a/containerd-enc-notes b/containerd-enc-notes
 # Preparing the build

 1. Build the encryption `imgcrypt` decoder and `ctr` helpers. Because the current branch is designed for `containerd/imgcrypt`, but is a fork, it can be built by:
 ```
 cd $GOPATH/containerd/
 git clone [email protected]:stefanberger/imgcrypt.git
 cd imgcrypt
 make
 ```

 2. This will produce 2 files, `ctr` and `ctd-decoder`


 3. Create a `config.toml` file for containerd, replacing `/path/to` with the path the the location of the build binaries.

 ```subreaper = true
 oom_score = -999

 [debug]
        level = "debug"

 [metrics]
        address = "127.0.0.1:1338"

 [plugins.linux]
        runtime = "runc"
        shim_debug = true

 [stream_processors]
    [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
 	accepts = ["application/vnd.docker.image.rootfs.diff.tar.gzip+enc"]
 	returns = "application/vnd.docker.image.rootfs.diff.tar.gzip"
 	path = "/path/to/ctd-decoder"
 [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
 	accepts = ["application/vnd.docker.image.rootfs.diff.tar+enc"]
 	returns = "application/vnd.docker.image.rootfs.diff.tar"
 	path = "/path/to/ctd-decoder"
  ```
  
  
 4. Get the latest containerd or the current rc for 1.3 and build it.

 5. Run containerd with the pointing to the config file created in the earlier step:

 i.e.
 ```
 lumjjb@lumjjb-ThinkPad-P50:~/go/src/github.com/containerd/containerd$ sudo bin/containerd --config /etc/containerd/config.toml
 ```


 # Encrypting an image

 * For following steps: ctr in this case uses the one built with `imgcrypt` repo.

 1. Generate an rsa key pair

 ```
 openssl genrsa -out private.key 1024
 openssl rsa -in private.key -pubout > public.key
 ```

 2. Pull the image
 ```
 ./ctr images pull --all-platforms docker.io/library/alpine:latest
 ```

 3. Encrypt an image:
 ```
 ./ctr images encrypt --recipient jwe:`pwd`/public.key docker.io/library/alpine:latest encrypted-alpine
 ```

 4. To decrypt it with `ctr`, the command to use is:
 ```
 ./ctr images decrypt --key `pwd`/private.key encrypted-alpine decrypted-alpine
 ```

 5. The `ctr` command can also be used to push the image, by making use of `ctr images push`.

 6. Since the KEP is not merged yet, there are currently no keys being passed to containerd. However, the `imgcrypt` binary ctd-decoder can be modified to be boostrapped with some keys in:

 https://github.com/stefanberger/imgcrypt/blob/master/cmd/ctd-decoder/main.go#L45

 The `DecryptConfig` can be formed by using helpers using https://godoc.org/github.com/containers/ocicrypt/config
	# Preparing the build

	1. Build the encryption `imgcrypt` decoder and `ctr` helpers. Because the current branch is designed for `containerd/imgcrypt`, but is a fork, it can be built by:
	```
	cd $GOPATH/containerd/
	git clone [email protected]:stefanberger/imgcrypt.git
	cd imgcrypt
	make
	```

	2. This will produce 2 files, `ctr` and `ctd-decoder`


	3. Create a `config.toml` file for containerd, replacing `/path/to` with the path the the location of the build binaries.

	```subreaper = true
	oom_score = -999

	[debug]
	level = "debug"

	[metrics]
	address = "127.0.0.1:1338"

	[plugins.linux]
	runtime = "runc"
	shim_debug = true

	[stream_processors]
	[stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
	accepts = ["application/vnd.docker.image.rootfs.diff.tar.gzip+enc"]
	returns = "application/vnd.docker.image.rootfs.diff.tar.gzip"
	path = "/path/to/ctd-decoder"
	[stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
	accepts = ["application/vnd.docker.image.rootfs.diff.tar+enc"]
	returns = "application/vnd.docker.image.rootfs.diff.tar"
	path = "/path/to/ctd-decoder"
	```


	4. Get the latest containerd or the current rc for 1.3 and build it.

	5. Run containerd with the pointing to the config file created in the earlier step:

	i.e.
	```
	lumjjb@lumjjb-ThinkPad-P50:~/go/src/github.com/containerd/containerd$ sudo bin/containerd --config /etc/containerd/config.toml
	```


	# Encrypting an image

	* For following steps: ctr in this case uses the one built with `imgcrypt` repo.

	1. Generate an rsa key pair

	```
	openssl genrsa -out private.key 1024
	openssl rsa -in private.key -pubout > public.key
	```

	2. Pull the image
	```
	./ctr images pull --all-platforms docker.io/library/alpine:latest
	```

	3. Encrypt an image:
	```
	./ctr images encrypt --recipient jwe:`pwd`/public.key docker.io/library/alpine:latest encrypted-alpine
	```

	4. To decrypt it with `ctr`, the command to use is:
	```
	./ctr images decrypt --key `pwd`/private.key encrypted-alpine decrypted-alpine
	```

	5. The `ctr` command can also be used to push the image, by making use of `ctr images push`.

	6. Since the KEP is not merged yet, there are currently no keys being passed to containerd. However, the `imgcrypt` binary ctd-decoder can be modified to be boostrapped with some keys in:

	https://github.com/stefanberger/imgcrypt/blob/master/cmd/ctd-decoder/main.go#L45

	The `DecryptConfig` can be formed by using helpers using https://godoc.org/github.com/containers/ocicrypt/config