Verifiable Publish and Import
Encrypting instance archives
alpine publish <instance name>
creates a .tar.gz
archive of the filesystem and configurations of an instance. These archives can be used for backup or sharing
purposes.
If instances are published for sharing, it may be desirable to authenticate them using strong cryptography. This allows for verifiable publishing and importing of instances over untrusted channels such as the internet or shared storage. It also allows for encrypted backups of sensitive instances.
alpine publish -e <instance name>
/alpine publish --encrypt <instance name>
: encrypt and authenticate archive with key derived from a passphrase (interactive prompt)
To provide this functionality, macpine
uses age
, a modern, efficient, and vetted Go implementation of strong cryptographic
tools which enable authenticated encryption of files.
Encrypting with a password
$ alpine list
NAME STATUS SSH PORTS ARCH PID TAGS
devel Stopped 22 aarch64 - daemon,dev
$ alpine publish -e devel # publish instance `devel` with password
Enter passphrase (leave empty to autogenerate a secure one): [return]
age: using autogenerated passphrase "better-avocado-regret-marriage-acoustic-beyond-search-record-drum-shadow"
$ ls devel.tar.gz.age # encrypted archive is created
devel.tar.gz.age
$ alpine delete devel
$ alpine list
NAME STATUS SSH PORTS ARCH PID TAGS
$ alpine import devel.tar.gz.age # import requires the corresponding private key
Enter passphrase: better-avocado-regret-marriage-acoustic-beyond-search-record-drum-shadow
$ alpine list
NAME STATUS SSH PORTS ARCH PID TAGS
devel Stopped 22 aarch64 - daemon,dev
Further information
For the details of age
, such as the age
file format, refer to the documentation of the project.
age
also supports asymmetric cryptography, encrypting & signing using age
public keys or even ssh
keys. In order to share a macpine
instance (e.g. example-instance
) to a GitHub user (e.g. example-user
) with the ssh
keys listed in their profile:
brew install age
curl -s https://github.com/example-user.keys | head -n1 > example-user.pub
alpine publish example-instance
age -e -o example-instance.tar.gz.age -R example-user.pub example-instance.tar.gz
# example-instance.tar.gz.age can be decrypted with example-user's private key
Note that ssh
keys are generally used for authentication rather than long-term encryption and therefore may not be kept private. This
approach should be used only if this caveat can be considered an acceptable risk.