You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: layer.md
+65-10Lines changed: 65 additions & 10 deletions
Original file line number
Diff line number
Diff line change
@@ -339,32 +339,87 @@ Implementations SHOULD NOT upload layers tagged with this media type; however, s
339
339
340
340
To be able to protect the confidentiality of the data in layers, encryption of the layer data blobs can be done to prevent unauthorized access to layer data. Encryption is performed on the data blob of a layer by specifying a mediatype with the `+enc` suffix. For example, `application/vnd.oci.image.layer.v1.tar+enc` is an layer representation of an encrypted `application/vnd.oci.image.layer.v1.tar` layer.
341
341
342
-
When using the `+enc` mediatype, the layer data blobs are encrypted with a symmetric encryption algorithm (i.e. AES_128_GCM, AES_128_CBC, etc.) according to the [IANA Registry](https://www.iana.org/assignments/aead-parameters/aead-parameters.xhtml).
342
+
When using the `+enc` mediatype, the layer data blobs are encrypted. In order to decrypt an image, the encryption metadata is required.
343
343
344
-
Details of the algorithms and protocols used in the encryption of the data blob are defined in a JSON object below. We note that:
345
-
- The `cipher` field specifies the encryption algorithm in accordance with the [IANA Registry](https://www.iana.org/assignments/aead-parameters/aead-parameters.xhtml).
344
+
## Encryption Metadata
345
+
346
+
The encryption metadata consists of 2 parts: PublicLayerBlockCipherOptions and PrivateLayerBlockCipherOptions. The PublicLayerBlockCipherOptions contain encryption metadata that is public, i.e. cipher type, HMAC, etc. and PrivateLayerBlockCipherOptions contains the encryption metadata which should be confidential, i.e. symmetric key, nonce (optional), etc. These are stored in the respective [**org.opencontainers.image.enc** prefixed annotations](annotations.md).
347
+
348
+
Below are golang definitions of these JSON objects:
349
+
350
+
```
351
+
// PublicLayerBlockCipherOptions includes the information required to encrypt/decrypt
352
+
// an image which are public and can be deduplicated in plaintext across multiple
353
+
// recipients
354
+
type PublicLayerBlockCipherOptions struct {
355
+
// CipherType denotes the cipher type according to the list of OCI suppported
356
+
// cipher types
357
+
CipherType string `json:"cipher"`
358
+
359
+
// Hmac contains the hmac string to help verify encryption
360
+
Hmac string `json:"hmac"`
361
+
362
+
// CipherOptions contains the cipher metadata used for encryption/decryption
363
+
// This field should be populated by Encrypt/Decrypt calls
Details of the algorithms and protocols used in the encryption of the data blob are defined in these JSON objects. Here are some examples of the Public/Private LayerBlockCipherOptions.
385
+
- The `cipher` field specifies the encryption algorithm to use according to the [list of cipher types supported](#cipher-types).
346
386
- The `symkey` field specifies the base64 encoded bytes of the symmetric key used in decryption.
347
387
- The `cipherOptions` field specifies additional parameters used in the decryption process of the specified algorithm. This should be in accordance with the RFC standard of the algorithm used.
Due to the precense of sensitive information in this sturcture, to ensure that only authorized parties are able to decrypt the layers, the decryption metadata objects are wrapped as encrypted messages to the authorized recipients in accordance with encrypted message standards such as [OpenPGP(RFC4880)](https://tools.ietf.org/html/rfc4880), [PKCS7(RFC2315)](https://tools.ietf.org/html/rfc2315), [JWE(RFC7516)](https://tools.ietf.org/html/rfc7516).
407
+
The PublicLayerBlockCipherOptions JSON object is stored base64 encoded in the layer annotation **org.opencontainers.image.enc.pubopts**.
408
+
409
+
The PrivateLayerBlockCipherOptions JSON object is not stored in plaintext due to the sensitive nature of the contents. Instead, the object goes through a cryptographic wrapping process. This ensures that only authorized parties are able to decrypt the layers, the decryption metadata objects are wrapped as encrypted messages to the authorized recipients in accordance with encrypted message standards such as [OpenPGP(RFC4880)](https://tools.ietf.org/html/rfc4880), [PKCS7(RFC2315)](https://tools.ietf.org/html/rfc2315), [JWE(RFC7516)](https://tools.ietf.org/html/rfc7516).
360
410
361
411
The following annotations are used to communicate these encrypted messages:
362
-
-`org.opencontainers.image.enc.keys.pkcs7` - An array of base64 comma separated encrypted messages that contain LayerBlockCipherOptions to perform decryption of the layer data in accordance with [PKCS7(RFC2315)](https://tools.ietf.org/html/rfc2315)
363
-
-`org.opencontainers.image.enc.keys.jwe` - An array of base64 comma separated encrypted messages that contain LayerBlockCipherOptions to perform decryption of the layer data in accordance with [JWE(RFC7516)](https://tools.ietf.org/html/rfc7516)
364
-
-`org.opencontainers.image.enc.keys.openpgp` - An array of base64 comma separated encrypted messages that contain LayerBlockCipherOptions to perform decryption of the layer data in accordance with [OpenPGP(RFC4880)](https://tools.ietf.org/html/rfc4880)
365
-
-`org.opencontainers.image.enc.keys.*` - An array of base64 comma separated encrypted messages that contain LayerBlockCipherOptions to perform decryption of the layer data in accordance with an appropriate standard of specified protocol.
412
+
-`org.opencontainers.image.enc.keys.pkcs7` - An array of base64 comma separated encrypted messages that contain PrivateLayerBlockCipherOptions to perform decryption of the layer data in accordance with [PKCS7(RFC2315)](https://tools.ietf.org/html/rfc2315)
413
+
-`org.opencontainers.image.enc.keys.jwe` - An array of base64 comma separated encrypted messages that contain PrivateLayerBlockCipherOptions to perform decryption of the layer data in accordance with [JWE(RFC7516)](https://tools.ietf.org/html/rfc7516)
414
+
-`org.opencontainers.image.enc.keys.openpgp` - An array of base64 comma separated encrypted messages that contain PrivateLayerBlockCipherOptions to perform decryption of the layer data in accordance with [OpenPGP(RFC4880)](https://tools.ietf.org/html/rfc4880)
415
+
-`org.opencontainers.image.enc.keys.*` - An array of base64 comma separated encrypted messages that contain PrivateLayerBlockCipherOptions to perform decryption of the layer data in accordance with an appropriate standard of specified protocol.
416
+
417
+
The decryption of the image can be performed by unwrapping the PrivateLayerBlockCipherOptions using the `org.opencontainers.image.enc.keys.*` annotations and using the appropriate cipher with the unwrapped PrivateLayerBlockCipherOptions to decrypt the layer data blob.
418
+
419
+
### Cipher Types
366
420
367
-
The decryption of the image can be performed by unwrapping the LayerBlockCipherOptions using the `org.opencontainers.image.enc.keys.*` annotations and using the appropriate cipher with the unwrapped LayerBlockCipherOptions to decrypt the layer data blob.
421
+
The current list of cipher types supported are:
422
+
-`AES_256_CTR_HMAC_SHA256` - Encryption with `AES_256_CTR` algorithm [FIPS-197](https://csrc.nist.gov/csrc/media/publications/fips/197/final/documents/fips-197.pdf) with Encrypt-then-mac [RFC7366](https://tools.ietf.org/html/rfc7366). The protocols used in this cipher type is in accordance to FIPS 140-2 compliant standards.
0 commit comments