KBS provides a simple cluster defined by docker-compose, include itself, Attestation Service, Reference Value Provider Service and CoCo Keyprovider
Users can use very simple command to:
- launch KBS service.
- encrypt images.
Run the cluster
git clone https://github.com/confidential-containers/trustee.git
cd trustee
docker compose up -dThe setup container initializes files under kbs/config/docker-compose/ automatically:
-
private.key/public.pub: admin JWT signer and verifier keys for KBS admin API. -
admin-token: long-lived admin bearer token for local development. -
ca-cert.pem,token.key,token-cert-chain.pemand related files: attestation token signing and trust chain material used by AS and KBS.token.key+token-cert-chain.pem— configured as ASsignerto sign JWTs.ca-cert.pem— root CA listed in KBS[attestation_token].trusted_certs_pathsso KBS can validate thex5cchain in token headers.
See Attestation Token Verification for how these files fit together.
Use the generated admin token with kbs-client:
kbs-client config \
--url http://127.0.0.1:8080 \
--admin-token-file kbs/config/docker-compose/admin-token \
set-resource-policy --allow-allIf --admin-token-file is omitted, kbs-client resolves the admin bearer token in this order:
kbs/config/docker-compose/admin-token— relative to the current working directory (typically the repository root aftercd trustee). This file is created by thesetupservice when the docker-compose trustee starts.$HOME/.trustee/admin-token— used only when$HOMEis set and the file exists.- No token — admin requests are sent without authentication. This only works when KBS
admin.authorization_modeisInsecureAllowAll. Thedocker-composecluster defaults toAuthenticatedAuthorization, so you need a token from step 1 or 2 (or pass--admin-token-fileexplicitly).
Note that by default the KBS cluster blocks sample evidence. If you are testing with sample evidence you will need to set a more permissive resource policy.
Then the kbs cluster is launched.
Use skopeo to encrypt an image
# edit ocicrypt.conf
tee > ocicrypt.conf <<EOF
{
"key-providers": {
"attestation-agent": {
"grpc": "127.0.0.1:50000"
}
}
}
EOF
# encrypt the image
OCICRYPT_KEYPROVIDER_CONFIG=ocicrypt.conf skopeo copy --insecure-policy --encryption-key provider:attestation-agent docker://busybox oci:busybox_encryptedThe image will be encrypted, and things happens in the background include:
CoCo Keyprovidergenerates a random KEK and a key id. Then encrypts the image using the KEK.CoCo Keyproviderregisters the KEK with key id into KBS.
If use the same KBS for key brokering, the image can be decrypted.