[Discuss] Container to deploy a web service

[jay at lentecs.com (Jason Normand)]

Dan,

I fully agree, I was mostly making the point that in docker everything is
shared with the host system.  its possible to obscure things, but that all
depends on how savy and motivated the users are.  in the end docker is a
open system, build by people with an open source mentality.  there are
companies working to address security concerns, but the complexities
involved are not for your average user.


On Thu, Nov 8, 2018 at 9:45 AM Dan Ritter <dsr at randomstring.org> wrote:

> Jason Normand:
> > from a strictly technical perspective, in order to make something like
> this
> > work in docker you would need to set up some kind of runtime decryption.
> > basically your system would need to read encrypted files from the volume
> > then decrypt them into a memory based storage (harder thought not
> > impossible to read form the host).  with docker any files in a running
> > container are fully accessible from the host system, and further files in
> > the container image can be unpacked by anyone with access to the image.
> so
> > with docker who ever has access to the host system, has access to all
> > container files.
>
> All of this has happened before. It's called "copy protection"
> or "DRM - digital rights management".
>
> It always goes like this:
>
> 1. I want to sell you something, but I don't want you to be able
>    to look inside it or copy it or something.
>
> 2. So I encrypt the thing. Now you can't access it.
>
> 3. So I give you a method of playing the thing.
>
> 4. But you still can't access it because it's encrypted, so I
>    also have to send the key along.
>
> 5. Now I have sent you the encrypted thing, a way to use the
>    thing, and the key to unencrypting the thing. Why have I gone
>    to all this bother again?
>
> In case it's clear: don't do this. It's not worth while.
>
> -dsr-
>