US 11,055,428 B1
Systems and methods for encrypted container image management, deployment, and execution
Cedric Clerget, Ormenans (FR); Ian Kaneshiro, East Lansing, MI (US); Gregory Kurtzer, Albany, CA (US); and John Frey, Sammamish, WA (US)
Assigned to CTRL IQ, Inc., Albany, CA (US)
Filed by CTRL IQ, Inc., Albany, CA (US)
Filed on Feb. 26, 2021, as Appl. No. 17/186,287.
Int. Cl. G06F 21/62 (2013.01); H04L 9/32 (2006.01); H04L 29/06 (2006.01); H04L 9/08 (2006.01)
CPC G06F 21/6218 (2013.01) [H04L 9/083 (2013.01); H04L 9/3263 (2013.01); H04L 63/0442 (2013.01)] 20 Claims
OG exemplary drawing
1. A method for retaining encryption throughout a runtime execution of a container that accesses encrypted data from an image of the container, the method comprising:
retrieving an encrypted container image from a repository, the encrypted container image comprising encrypted first data and encrypted second data, wherein the encrypted first data comprises executable services that are encrypted to prevent execution until the first data is decrypted;
storing the encrypted container image with the encrypted first data and the encrypted second data to non-volatile storage of a particular node;
obtaining a decryption key for the encrypted container image from a source other than the repository based on the particular node having authorization as a trusted node to decrypt and run the encrypted container image;
constructing a container based on the encrypted container image, wherein constructing the container comprises mounting the encrypted container image as part of a file system of the container; and
running the container using hardware resources of the particular node, wherein running the container comprises decrypting and initializing the executable services from the file system in response to a file system request for accessing the container, and encrypting decrypted data, that is generated from running the executable services in volatile storage of the particular node, as additional encrypted data to store as part of the encrypted second data on the non-volatile storage of the particular node.