Private Registry v2 on AWS S3 bucket with KMS Encryption

Docker Engine
1

Hi folks!

I am trying to deploy a private docker registry in AWS, and as part of my client requirements there is a need to encrypt data a bit almost everywhere, including the blobs stored in the registry.

Despite this could be easily achieved with an EC2 instance with an EBS volume encrypted, we’d like to use an S3 bucket to take different advantages out of that.

As per documentation on the S3 backend storage other that the usual configuration I am using encrypted=true and keyid=my_key_id in a similar setup:

docker run -p 5000:5000
-e “REGISTRY_STORAGE=s3”
-e “REGISTRY_STORAGE_S3_REGION=eu-east-1”
-e “REGISTRY_STORAGE_S3_BUCKET=my_bucket”
-e “REGISTRY_STORAGE_S3_ACCESSKEY=my_access”
-e “REGISTRY_STORAGE_S3_SECRETKEY=my_secret”
-e “ENCRYPT=true”
-e “KEYID=test-key” registry:2

What I see from the registry output as logs is the same as if I omit the 2 extra parameters and it does not seems to encrypt any data on server side.

To test that I had setup another registry on another instance pointing at the same exact bucket but WITHOUT passing the encryption key option and from this new registry I can pull without any problems any image pushed in the other (so I can conclude that no encryption is applied otherwise the second registry won’t give me any valid images that I could pull)

Have anyone else experienced this issue or know how to solve it?

Any help appreciated!!! Cheeers!!!
Cris

2

I don’t know if the registry encrypts or not, but even if it did I’m not surprised that it would work to pull and push when you don’t specify the encryption properties.

The reason is that when you ask S3 to encrypt your files that all happens in S3. The client will be able to read the file as long as it has permissions to do so, the decryption happens on the S3 servers. With KMS encryption the client also needs to have permission to use the key for decryption, but otherwise it works the same.

To know whether or not the registry stored the files encrypted you would need to inspect the file metadata and see what it says.

I’ve enabled encryption when I’ve set up a registry and I could see that they were encrypted on S3. I didn’t use KMS, though, I just set the encrypt flag to true.