DEV Community

Cover image for Secure Docker : Enable Docker Content Trust

Posted on • Updated on

Secure Docker : Enable Docker Content Trust

I love Docker and Security so I thought why not write about Docker Content Trust. so here you go...

Originally posted at

Docker Content Trust allows you to have an image
signing so you can make sure that you're
not running arbitrary code you're
actually running the code that you wanted
to run in the first place.

When Docker trust is Enabled And publisher pushes the image to a remote registry, Docker Engine signs the image locally with the publisher’s private key. When someone pulls this image, Docker uses the publisher’s public key to verify the image integrity and checks image is exactly what the publisher created, has not been tampered with, and is up to date.

Enabling Content Trust

  • Enable via Environment Variable
  • Or CLI Flag:
  $> docker pull --disable-content-trust=false mongo:tag

As soon as you enable docker content trust using Environment Variable


Every docker single docker operation is secure like

  • docker push
  • docker run
  • docker pull

Every single operation is now gonna have to operate on the signature. if you try to run unsigned image docker will not allow you.

If you are creating a docker image of your application and pushing it to Repository and pull it over the network. Then you should enable content trust.

Steps to Sign Docker Images.

  • enable docker content trust
    $> export DOCKER_CONTENT_TRUST=1
  • Push image
  $> docker push  [yourImage:tag]

If you are doing it first time it will generate root key, repo key and other keys.(By default this is stored in ~/.docker/trust/). you need to enter the passphrase for root key and repo key. After giving the passphrase it will push the signed image.

You should back up the root key somewhere safe. Given that it is only required to create new repositories, it is a good idea to store it offline in hardware.
manage keys for DCT.

From now on docker push operation will prompt you to enter the passphrase of your repo. if the content trust is enabled. but this can be automated.

Automation with content trust

Most of the time we build our images using the automation system. To enable content trust on our automation system we can use the Environment variable.


if you use this variable then you do not need to enter the passphrase every time.

Docker Content Trust is available in Docker CS Engine 1.9.0 and Docker EE. May be Docker content trust will be enabled by default in the future.

Discussion (0)