lumjjb/containerd-enc-notes

## containerd-enc-notes
# Preparing the build

1. Build the encryption `imgcrypt` decoder and `ctr` helpers. Because the current branch is designed for `containerd/imgcrypt`, but is a fork, it can be built by:
```
cd $GOPATH/containerd/
git clone git@github.com:stefanberger/imgcrypt.git
cd imgcrypt
make
```

2. This will produce 2 files, `ctr` and `ctd-decoder`


3. Create a `config.toml` file for containerd, replacing `/path/to` with the path the the location of the build binaries.

```subreaper = true
oom_score = -999

[debug]
        level = "debug"

[metrics]
        address = "127.0.0.1:1338"

[plugins.linux]
        runtime = "runc"
        shim_debug = true

[stream_processors]
    [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
	accepts = ["application/vnd.docker.image.rootfs.diff.tar.gzip+enc"]
	returns = "application/vnd.docker.image.rootfs.diff.tar.gzip"
	path = "/path/to/ctd-decoder"
[stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
	accepts = ["application/vnd.docker.image.rootfs.diff.tar+enc"]
	returns = "application/vnd.docker.image.rootfs.diff.tar"
	path = "/path/to/ctd-decoder"
  ```


4. Get the latest containerd or the current rc for 1.3 and build it.

5. Run containerd with the pointing to the config file created in the earlier step:

i.e.
```
lumjjb@lumjjb-ThinkPad-P50:~/go/src/github.com/containerd/containerd$ sudo bin/containerd --config /etc/containerd/config.toml
```


# Encrypting an image

* For following steps: ctr in this case uses the one built with `imgcrypt` repo.

1. Generate an rsa key pair

```
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout > public.key
```

2. Pull the image
```
./ctr images pull --all-platforms docker.io/library/alpine:latest
```

3. Encrypt an image:
```
./ctr images encrypt --recipient jwe:`pwd`/public.key docker.io/library/alpine:latest encrypted-alpine
```

4. To decrypt it with `ctr`, the command to use is:
```
./ctr images decrypt --key `pwd`/private.key encrypted-alpine decrypted-alpine
```

5. The `ctr` command can also be used to push the image, by making use of `ctr images push`.

6. Since the KEP is not merged yet, there are currently no keys being passed to containerd. However, the `imgcrypt` binary ctd-decoder can be modified to be boostrapped with some keys in:

https://github.com/stefanberger/imgcrypt/blob/master/cmd/ctd-decoder/main.go#L45

The `DecryptConfig` can be formed by using helpers using https://godoc.org/github.com/containers/ocicrypt/config
	# Preparing the build

	1. Build the encryption `imgcrypt` decoder and `ctr` helpers. Because the current branch is designed for `containerd/imgcrypt`, but is a fork, it can be built by:
	```
	cd $GOPATH/containerd/
	git clone git@github.com:stefanberger/imgcrypt.git
	cd imgcrypt
	make
	```

	2. This will produce 2 files, `ctr` and `ctd-decoder`


	3. Create a `config.toml` file for containerd, replacing `/path/to` with the path the the location of the build binaries.

	```subreaper = true
	oom_score = -999

	[debug]
	level = "debug"

	[metrics]
	address = "127.0.0.1:1338"

	[plugins.linux]
	runtime = "runc"
	shim_debug = true

	[stream_processors]
	[stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
	accepts = ["application/vnd.docker.image.rootfs.diff.tar.gzip+enc"]
	returns = "application/vnd.docker.image.rootfs.diff.tar.gzip"
	path = "/path/to/ctd-decoder"
	[stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
	accepts = ["application/vnd.docker.image.rootfs.diff.tar+enc"]
	returns = "application/vnd.docker.image.rootfs.diff.tar"
	path = "/path/to/ctd-decoder"
	```


	4. Get the latest containerd or the current rc for 1.3 and build it.

	5. Run containerd with the pointing to the config file created in the earlier step:

	i.e.
	```
	lumjjb@lumjjb-ThinkPad-P50:~/go/src/github.com/containerd/containerd$ sudo bin/containerd --config /etc/containerd/config.toml
	```


	# Encrypting an image

	* For following steps: ctr in this case uses the one built with `imgcrypt` repo.

	1. Generate an rsa key pair

	```
	openssl genrsa -out private.key 1024
	openssl rsa -in private.key -pubout > public.key
	```

	2. Pull the image
	```
	./ctr images pull --all-platforms docker.io/library/alpine:latest
	```

	3. Encrypt an image:
	```
	./ctr images encrypt --recipient jwe:`pwd`/public.key docker.io/library/alpine:latest encrypted-alpine
	```

	4. To decrypt it with `ctr`, the command to use is:
	```
	./ctr images decrypt --key `pwd`/private.key encrypted-alpine decrypted-alpine
	```

	5. The `ctr` command can also be used to push the image, by making use of `ctr images push`.

	6. Since the KEP is not merged yet, there are currently no keys being passed to containerd. However, the `imgcrypt` binary ctd-decoder can be modified to be boostrapped with some keys in:

	https://github.com/stefanberger/imgcrypt/blob/master/cmd/ctd-decoder/main.go#L45

	The `DecryptConfig` can be formed by using helpers using https://godoc.org/github.com/containers/ocicrypt/config