Towards efficient end-to-end encryption for container checkpointing systems

Conference item

Container checkpointing has emerged as a new paradigm for task migration, preemptive scheduling and elastic scaling of microservices. However, as soon as a snapshot that contains raw memory is exposed through the network or shared storage, sensitive data such as keys and passwords may become compromised. Existing solutions rely on encryption to protect data included in snapshots but by doing so prevent important performance optimizations such as memory de-duplication and incremental checkpointing. To address these challenges, we design and implement CRIUsec, an efficient end-to-end encryption scheme for container checkpointing systems built on the open-source CRIU (Checkpoint/Restore In Userspace). Our preliminary evaluation shows that CRIUsec integrates seamlessly with popular container platforms (Docker, Podman, Kubernetes), and compared to existing solutions, achieves an average of 1.57× speedup for memory-intensive workloads, and can be up to 100× faster for compute-intensive workloads.

Authors: Stoyanov, R; Reber, A; Ueno, D; Cłapiński, M; Vagin, A

• Publication status: Published
• Peer review status: Peer reviewed
• Publisher: Association for Computing Machinery
• Host title: Proceedings of the 15th ACM SIGOPS Asia-Pacific Workshop on Systems (APSys 2024)
• Pages: 60 - 66
• Publication date: 2024-07-18
• Acceptance date: 2024-07-01
• Event title: 15th ACM SIGOPS Asia-Pacific Workshop on Systems (APSys 2024)
• Event location: Kyoto, Japan
• Event website: https://ap-sys.org/
• Event start date: 2024-09-04
• Event end date: 2024-09-05
• DOI: 10.1145/3678015.3680477
• ISBN: 979-8-4007-1105-3
• Language: English
• Keywords: checkpointing; security; CRIU; containers