Forum Discussion
Can Admins Access IoT Edge Container Code Despite ACR Encryption?
If I deploy my Python application as an IoT Edge container, and the container is pulled from Azure Container Registry (which says all images are encrypted at rest), can someone with administrator access on the machine access the container and see my code?
1 Reply
Yes, encryption in ACR doesn’t fully protect your code once it’s running on the device.
Here’s the practical reality:
Azure Container Registry (ACR) encryption only protects images at rest (in the registry) and during transfer
Once the image is pulled and running on an IoT Edge device, it becomes a local Docker container
Anyone with admin/root access on that device can:
Inspect the container filesystem
Export the image
View application code (especially for interpreted languages like Python)
This is a general container behavior, not specific to Azure. Containers are not a code protection boundary.
If you need stronger protection:
Use compiled binaries or obfuscation
Restrict device/admin access (physical + OS-level security)
Consider confidential computing / secure enclaves for sensitive workloads
So while ACR encryption is useful, it doesn’t prevent admins on the device from accessing your container code once deployed.
