Docker Content Trust Gets Hardware Signing

Nov 16 2015

Three months ago we launched Docker Content Trust, integrating the guarantees from The Update Framework (TUF) into Docker using Notary, an open source tool that provides trust over any content.

Today we’re incredibly excited to announce the support of hardware based signing in notary and Docker experimental.


image04We launched hardware signing in Notary today at DockerCon EU 2015, where we gave developers the power to be secure content publishers by providing a free Yubikey 4 to every single attendee.

To use hardware signing, you need to install docker experimental. For all of you mac users out there, we created a special Docker Tool Box just for this event that comes with everything you need installed.

The Yubikey 4 is Yubico’s new flagship product, featuring a completely new hardware and software stack, allowing Docker to integrate seamlessly provide the best security for Docker image signing.

If you want to increase the security of your Docker images, enable Docker Content Trust, get yourself a Yubikey 4 and sign away.

The quickest way to get started with hardware signing is by downloading the docker experimental binary that comes with the DockerCon 2015 Demo Toolbox: docker-x

After it’s installed, you can plug-in your Yubikey to a USB port and generate yourself a Docker Content Trust root key.


Make sure that the key actually made it to both the Yubikey and your local private key directory by using notary key list.


See those two keys in the listing? It means that you now both have a root key stored in your private folder (encrypted at rest) and inside of the yubikey.

WARNING: Make sure to backup your root key to a secure offline location. The loss of a root key is irrecoverable. You can backup your keys with notary key backup.

Now that we have our root key generated inside of the yubikey, we can generate keys for our first repository and push our first signed image!


And that is it. Everyone in the world that has Docker Content Trust enabled can now securely download your content.

More details on how to use Docker Content Trust to sign your images can be found here. if you want more information on notary, check out the notary docs here.


Learn More about Docker



5 thoughts on “Docker Content Trust Gets Hardware Signing

  1. Avatar for Diogo Mónica

    Sebastian Bulzak

    Good to see Docker is getting serious about security. Hardware tokens are a good solution for large organizations. I've had tokens fails on me, and the turnaround time to replace them is a critical flaw.

    Do you plan to support software tokens?

  2. Avatar for Diogo Mónica

    Sebastian Bulzak

    Forget about it. I didn't realize you could sign content with a Yubikey. I always used it for MFA.

    MFA could be interesting at the docker registry level.

  3. Does Yubikey has any alternatives for signing instead of touching the device? I am asking this because big enterprises prefer automation rather than manually touching the device each time to sign.

    Can you please let me know on this. Thank you.

    • The root key on the Yubikey is used to sign the target/snapshot key (which is used to sign the image metadata). It's not clear from this blog post if the target/snapshot keys are *also* stored on the yubikey, or the yubikey is only used to sign them, and they are then stored on the host. If they are stored on the host, then they can still be used in automation. I'm starting to play with all this now, so should know more soon. I'm also curious about keeping the target/snapshot key in a hardware-backed HSM for the automation process.

  4. This page is out-of-date, but is still the page that new yubikey 4 users get when they inquire about Docker code signing.
    E.g. clicking on is a 404 not found.
    Running notary version yields: notary Version: 0.4.3 Git commit: 9211198
    But running the given command "notary key generate" with my yubikey plugged in doesn't result in the key getting on to the yubikey, according to the list command.
    So what should we do?
    Please update the post, or update the link from Yubikey to the proper Docker support page.

    This seems more up-to-date, but doesn't give clarity on how to get the necessary libraries etc installed on Ubuntu Trusty 14.04:

Leave a Reply