Skopeo example usage with encrypted image and functional exploration

SkoepeoEncryption.md

Bunch of manual tests

Basic pull image and set up local registry

$ ./skopeo copy docker://docker.io/library/nginx:latest oci:nginx_local
Getting image source signatures
Copying blob 000eee12ec04 done
Copying blob eb22865337de done
Copying blob bee5d581ef8b done
Copying config 5eb6083c55 done
Writing manifest to image destination
Storing signatures

# Setup a registry on port 5000
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout > public.key

Encrypt locally

$ ./skopeo copy --encryption-key jwe:./public.key oci:nginx_local oci:nginx_encrypted
Getting image source signatures
Copying blob 000eee12ec04 done
Copying blob eb22865337de done
Copying blob bee5d581ef8b done
Copying config 5eb6083c55 done
Writing manifest to image destination
Storing signatures

# Verify with 

$ file ./nginx_encrypted/blobs/sha256/*
./nginx_encrypted/blobs/sha256/2bf43be889eefb9fa4e2aeafe02d7017b1f9520d9d05b9bb3eec3ecaba692aa5: data
./nginx_encrypted/blobs/sha256/5eb6083c55f01e40fba0b5df053b52c4380a1c2a010ed1fb78a3ae10f793d323: ASCII text, with very long lines, with no line terminators
./nginx_encrypted/blobs/sha256/7e58f49f4d1d536fb72a0cd5e2fa6bcc3a619d8d9eee435b07abb3a25fcf11c6: data
./nginx_encrypted/blobs/sha256/aec99114d7e7d39d740f02c81b7d90b05c9f1a903167720678f5d698d6e7dc3d: ASCII text, with very long lines, with no line terminators
./nginx_encrypted/blobs/sha256/e1f81e786490fc5c623e094aaf35eb8756958a2bf5190425755fac634d8966c0: data


$ grep -r "+encrypted" ./nginx_encrypted/blobs/sha256/
# output should look like encrypted layers

Copy locally without decryption

$ ./skopeo copy oci:nginx_encrypted oci:nginx_encrypted_copy

$ file ./nginx_encrypted_copy/blobs/sha256/*
./nginx_encrypted_copy/blobs/sha256/2bf43be889eefb9fa4e2aeafe02d7017b1f9520d9d05b9bb3eec3ecaba692aa5: data
./nginx_encrypted_copy/blobs/sha256/5eb6083c55f01e40fba0b5df053b52c4380a1c2a010ed1fb78a3ae10f793d323: ASCII text, with very long lines, with no line terminators
./nginx_encrypted_copy/blobs/sha256/7e58f49f4d1d536fb72a0cd5e2fa6bcc3a619d8d9eee435b07abb3a25fcf11c6: data
./nginx_encrypted_copy/blobs/sha256/aec99114d7e7d39d740f02c81b7d90b05c9f1a903167720678f5d698d6e7dc3d: ASCII text, with very long lines, with no line terminators
./nginx_encrypted_copy/blobs/sha256/e1f81e786490fc5c623e094aaf35eb8756958a2bf5190425755fac634d8966c0: data

$ grep -r "+encrypted" ./nginx_encrypted_copy/blobs/sha256/
# output should look like encrypted layers

Decrypt locally

$ ./skopeo copy --decryption-key ./private.key oci:nginx_encrypted oci:nginx_decrypted
Getting image source signatures
Copying blob e1f81e786490 done
Copying blob 2bf43be889ee done
Copying blob 7e58f49f4d1d done
Copying config 5eb6083c55 done
Writing manifest to image destination
Storing signatures

$ file ./nginx_decrypted/blobs/sha256/*
./nginx_decrypted/blobs/sha256/000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c: gzip compressed data
./nginx_decrypted/blobs/sha256/2c3c078642b13e34069e55adfd8b93186950860383e49bdeab4858b4a4bdb1bd: ASCII text, with very long lines, with no line terminators
./nginx_decrypted/blobs/sha256/5eb6083c55f01e40fba0b5df053b52c4380a1c2a010ed1fb78a3ae10f793d323: ASCII text, with very long lines, with no line terminators
./nginx_decrypted/blobs/sha256/bee5d581ef8bfee2b5a54685813ba6ad9bbe922115d7aef84a21a9dbfcc2d979: gzip compressed data
./nginx_decrypted/blobs/sha256/eb22865337de3edb54ec8b52f6c06de320f415e7ec43f01426fdafb8df6d6eb7: gzip compressed data

$ grep -r "+encrypted" ./nginx_decrypted/blobs/sha256/
# should have no output

Encrypt remotely

$ ./skopeo copy --dest-tls-verify=false --encryption-key jwe:./public.key oci:nginx_local docker://localhost:5000/nginx_encrypted
Getting image source signatures
Copying blob 000eee12ec04 done
Copying blob eb22865337de done
Copying blob bee5d581ef8b done
Copying config 5eb6083c55 done
Writing manifest to image destination
Storing signatures


# Try download without decrypting

$ ./skopeo copy --src-tls-verify=false docker://localhost:5000/nginx_encrypted oci:nginx_remote_enc
Getting image source signatures
Copying blob d869123ec4fa done
Copying blob bbd10d3e6617 done
Copying blob f51062528853 done
Copying config 5eb6083c55 done
Writing manifest to image destination
Storing signatures

$ file ./nginx_remote_enc/blobs/sha256/*
./nginx_remote_enc/blobs/sha256/2e72f883531d407af8d777c1da2d32db5b62ee2a1d2c7314078afcce73b6d229: ASCII text, with very long lines, with no line terminators
./nginx_remote_enc/blobs/sha256/5eb6083c55f01e40fba0b5df053b52c4380a1c2a010ed1fb78a3ae10f793d323: ASCII text, with very long lines, with no line terminators
./nginx_remote_enc/blobs/sha256/bbd10d3e6617893bc90d40650c28214b999f62dd2b43ed1a4c4d42e11285d865: data
./nginx_remote_enc/blobs/sha256/d869123ec4fab15f49eb64d50f14e4ee1332c7516e13ab874a66656b3685b727: data
./nginx_remote_enc/blobs/sha256/f510625288538ed6d0f758d4e0a0db66794cc53c20e4fa9480981b23ea032554: data

$ grep -r "+encrypted" ./nginx_remote_enc/blobs/sha256/
# output should look like encrypted layers

Download with decryption

$ ./skopeo copy --decryption-key ./private.key --src-tls-verify=false docker://localhost:5000/nginx_encrypted oci:nginx_remote_dec
Getting image source signatures
Copying blob d869123ec4fa done
Copying blob bbd10d3e6617 done
Copying blob f51062528853 done
Copying config 5eb6083c55 done
Writing manifest to image destination
Storing signatures

$ file ./nginx_remote_dec/blobs/sha256/*
./nginx_remote_dec/blobs/sha256/000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c: gzip compressed data
./nginx_remote_dec/blobs/sha256/2c3c078642b13e34069e55adfd8b93186950860383e49bdeab4858b4a4bdb1bd: ASCII text, with very long lines, with no line terminators
./nginx_remote_dec/blobs/sha256/5eb6083c55f01e40fba0b5df053b52c4380a1c2a010ed1fb78a3ae10f793d323: ASCII text, with very long lines, with no line terminators
./nginx_remote_dec/blobs/sha256/bee5d581ef8bfee2b5a54685813ba6ad9bbe922115d7aef84a21a9dbfcc2d979: gzip compressed data
./nginx_remote_dec/blobs/sha256/eb22865337de3edb54ec8b52f6c06de320f415e7ec43f01426fdafb8df6d6eb7: gzip compressed data

$ grep -r "+encrypted" ./nginx_remote_dec/blobs/sha256/
# output should look like encrypted layers

Copy from registry to registry encrypted

# Set up a registry on port 6000

$ ./skopeo copy --src-tls-verify=false --dest-tls-verify=false docker://localhost:5000/nginx_encrypted docker://localhost:5000/nginx_encrypted_copy
Getting image source signatures
Copying blob bbd10d3e6617 done
Copying blob d869123ec4fa done
Copying blob f51062528853 done
Copying config 5eb6083c55 done
Writing manifest to image destination
Storing signatures

$ ./skopeo copy --src-tls-verify=false --dest-tls-verify=false docker://localhost:5000/nginx_encrypted docker://localhost:6000/nginx_encrypted
Getting image source signatures
Copying blob bbd10d3e6617 done
Copying blob d869123ec4fa done
Copying blob f51062528853 done
Copying config 5eb6083c55 done
Writing manifest to image destination
Storing signatures


$ ./skopeo copy --src-tls-verify=false docker://localhost:6000/nginx_encrypted oci:registry_copy_enc
Getting image source signatures
Copying blob d869123ec4fa done
Copying blob bbd10d3e6617 done
Copying blob f51062528853 done
Copying config 5eb6083c55 done
Writing manifest to image destination
Storing signatures

$ file ./registry_copy_enc/blobs/sha256/*
./registry_copy_enc/blobs/sha256/2e72f883531d407af8d777c1da2d32db5b62ee2a1d2c7314078afcce73b6d229: ASCII text, with very long lines, with no line terminators
./registry_copy_enc/blobs/sha256/5eb6083c55f01e40fba0b5df053b52c4380a1c2a010ed1fb78a3ae10f793d323: ASCII text, with very long lines, with no line terminators
./registry_copy_enc/blobs/sha256/bbd10d3e6617893bc90d40650c28214b999f62dd2b43ed1a4c4d42e11285d865: data
./registry_copy_enc/blobs/sha256/d869123ec4fab15f49eb64d50f14e4ee1332c7516e13ab874a66656b3685b727: data
./registry_copy_enc/blobs/sha256/f510625288538ed6d0f758d4e0a0db66794cc53c20e4fa9480981b23ea032554: data

$ grep -r "+encrypted" ./registry_copy_enc/blobs/sha256/
# output should show encrypted layers