{"id":13509483,"url":"https://github.com/containerd/imgcrypt","last_synced_at":"2025-05-13T23:06:50.638Z","repository":{"id":35425200,"uuid":"217386639","full_name":"containerd/imgcrypt","owner":"containerd","description":"OCI Image Encryption Package","archived":false,"fork":false,"pushed_at":"2025-05-07T01:31:27.000Z","size":11187,"stargazers_count":390,"open_issues_count":1,"forks_count":48,"subscribers_count":18,"default_branch":"main","last_synced_at":"2025-05-07T02:27:34.538Z","etag":null,"topics":["containers","encryption","gpg","oci","oci-image"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/containerd.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGES","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-10-24T20:10:03.000Z","updated_at":"2025-05-07T01:31:28.000Z","dependencies_parsed_at":"2024-03-27T16:02:23.654Z","dependency_job_id":"24b9b8fa-5321-43a6-a08d-b4bfe0167c11","html_url":"https://github.com/containerd/imgcrypt","commit_stats":null,"previous_names":[],"tags_count":19,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerd%2Fimgcrypt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerd%2Fimgcrypt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerd%2Fimgcrypt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerd%2Fimgcrypt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/containerd","download_url":"https://codeload.github.com/containerd/imgcrypt/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254040966,"owners_count":22004641,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["containers","encryption","gpg","oci","oci-image"],"created_at":"2024-08-01T02:01:08.433Z","updated_at":"2025-05-13T23:06:45.629Z","avatar_url":"https://github.com/containerd.png","language":"Go","readme":"# imgcrypt image encryption library and command line tool\n\nProject `imgcrypt` is a non-core subproject of containerd.\n\nThe `imgcrypt` library provides API extensions for containerd to support encrypted container images and implements\nthe `ctd-decoder` command line tool for use by containerd to decrypt encrypted container images. An extended version\nof containerd's `ctr` tool (`ctr-enc`) with support for encrypting and decrypting container images is also provided.\n\n`imgcrypt` relies on the [`ocicrypt`](https://github.com/containers/ocicrypt) library for crypto functions on image layers.\n\n# Usage\n\n`imgcrypt` requires containerd 1.3 or later. Containerd 1.4 or later is required when used with Kubernetes.\nFor configuration instructions for kubernetes, please consult the [CRI decryption document](https://github.com/containerd/containerd/blob/main/docs/cri/decryption.md).\n\nBuild and install `imgcrypt`:\n\n```\n# make\n# sudo make install\n```\n\nStart containerd with a configuration file that looks as follows. To avoid interference with a containerd from a Docker\ninstallation we use /tmp for directories. Also, we build containerd 1.3 from the source but do not install it.\n\n```\n# cat config.toml\nversion = 2\ndisabled_plugins = [\"io.containerd.grpc.v1.cri\"]\nroot = \"/tmp/var/lib/containerd\"\nstate = \"/tmp/run/containerd\"\n[grpc]\n  address = \"/tmp/run/containerd/containerd.sock\"\n  uid = 0\n  gid = 0\n[stream_processors]\n    [stream_processors.\"io.containerd.ocicrypt.decoder.v1.tar.gzip\"]\n        accepts = [\"application/vnd.oci.image.layer.v1.tar+gzip+encrypted\"]\n        returns = \"application/vnd.oci.image.layer.v1.tar+gzip\"\n        path = \"/usr/local/bin/ctd-decoder\"\n    [stream_processors.\"io.containerd.ocicrypt.decoder.v1.tar.zstd\"]\n        accepts = [\"application/vnd.oci.image.layer.v1.tar+zstd+encrypted\"]\n        returns = \"application/vnd.oci.image.layer.v1.tar+zstd\"\n        path = \"/usr/local/bin/ctd-decoder\"\n    [stream_processors.\"io.containerd.ocicrypt.decoder.v1.tar\"]\n        accepts = [\"application/vnd.oci.image.layer.v1.tar+encrypted\"]\n        returns = \"application/vnd.oci.image.layer.v1.tar\"\n        path = \"/usr/local/bin/ctd-decoder\"\n\n# sudo ~/src/github.com/containerd/containerd/bin/containerd -c config.toml\n```\n\nCreate an RSA key pair using the openssl command line tool and encrypted an image:\n\n```\n# openssl genrsa -out mykey.pem\nGenerating RSA private key, 2048 bit long modulus (2 primes)\n...............................................+++++\n............................+++++\ne is 65537 (0x010001)\n# openssl rsa -in mykey.pem -pubout -out mypubkey.pem\nwriting RSA key\n# sudo chmod 0666 /tmp/run/containerd/containerd.sock\n# CTR=\"/usr/local/bin/ctr-enc -a /tmp/run/containerd/containerd.sock\"\n# $CTR images pull --all-platforms docker.io/library/bash:latest\n[...]\n# $CTR images layerinfo --platform linux/amd64 docker.io/library/bash:latest\n   #                                                                    DIGEST      PLATFORM      SIZE   ENCRYPTION   RECIPIENTS\n   0   sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609   linux/amd64   2789669                          \n   1   sha256:7dd01fd971d4ec7058c5636a505327b24e5fc8bd7f62816a9d518472bd9b15c0   linux/amd64   3174665                          \n   2   sha256:691cfbca522787898c8b37f063dd20e5524e7d103e1a3b298bd2e2b8da54faf5   linux/amd64       340                          \n# $CTR images encrypt --recipient jwe:mypubkey.pem --platform linux/amd64 docker.io/library/bash:latest bash.enc:latest\nEncrypting docker.io/library/bash:latest to bash.enc:latest\n$ $CTR images layerinfo --platform linux/amd64 bash.enc:latest\n   #                                                                    DIGEST      PLATFORM      SIZE   ENCRYPTION   RECIPIENTS\n   0   sha256:360be141b01f69b25427a9085b36ba8ad7d7a335449013fa6b32c1ecb894ab5b   linux/amd64   2789669          jwe        [jwe]\n   1   sha256:ac601e66cdd275ee0e10afead03a2722e153a60982122d2d369880ea54fe82f8   linux/amd64   3174665          jwe        [jwe]\n   2   sha256:41e47064fd00424e328915ad2f7f716bd86ea2d0d8315edaf33ecaa6a2464530   linux/amd64       340          jwe        [jwe]\n```\n\nStart a local image registry so we can push the encrypted image to it. A recent versions of the registry is required\nto accept encrypted container images.\n```\n# docker pull registry:latest\n# docker run -d -p 5000:5000 --restart=always --name registry registry\n```\n\nPush the encrypted image to the local registry, pull it using `ctr-enc`, and then run the image.\n```\n# $CTR images tag bash.enc:latest localhost:5000/bash.enc:latest\n# $CTR images push localhost:5000/bash.enc:latest\n# $CTR images rm localhost:5000/bash.enc:latest bash.enc:latest\n# $CTR images pull localhost:5000/bash.enc:latest\n# sudo $CTR run --rm localhost:5000/bash.enc:latest test echo 'Hello World!'\nctr: you are not authorized to use this image: missing private key needed for decryption\n# sudo $CTR run --rm --key mykey.pem localhost:5000/bash.enc:latest test echo 'Hello World!'\nHello World!\n```\n\n## Project details\n\n**imgcrypt** is a non-core containerd sub-project, licensed under the [Apache 2.0 license](./LICENSE).\nAs a containerd sub-project, you will find the:\n * [Project governance](https://github.com/containerd/project/blob/main/GOVERNANCE.md),\n * [Maintainers](MAINTAINERS),\n * and [Contributing guidelines](https://github.com/containerd/project/blob/main/CONTRIBUTING.md)\n\ninformation in our [`containerd/project`](https://github.com/containerd/project) repository.\n","funding_links":[],"categories":["Go","others","工具","Tools","encryption"],"sub_categories":["其他工具","Others"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainerd%2Fimgcrypt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontainerd%2Fimgcrypt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainerd%2Fimgcrypt/lists"}