Running Hyper Protect Virtual Server containers on the Secure Service Container partitions provides you the following advantages in terms of security and integrity.

  • System administrators do not need the access to the application data, memory, logs, secrets, applications or the operating system in the Hyper Protect Virtual Server containers.
  • Application developers do not need the secret to the production environment, and managing the Hyper Protect Virtual Server containers does not require access to the application secrets.
  • The containerized application images are signed with GPG keys when publishing, and verified again when being deployed. The signing keys are generated within the Secure Build process and your private keys are never revealed. Only the images generated by using the Secure Build procedure can be uploaded to your docker repository and installed to the Secure Service Container partitions.
  • The Secure Build generates a signed manifest indicating the origin of the image for future audit. The manifest contains a copy of the Github project that was cloned by the Secure Build server container, and a copy of the build log (build.log) and overall build status result (build.json). The manifest tar ball is signed with the manifest private key. The user can download the manifest public key and use it to verify a manifest. You can optionally store the manifest in the IBM Cloud Object Storage (COS) by using the Secure Build.
  • You can integrate IBM Hyper Protect Virtual Servers into your own Continuous Integration and Continuous Delivery (CICD) pipeline to fully adopt the security advantages provided by the offering.