US Patent 10326744 Security layer for containers in multi-tenant environments

An apparatus comprises at least one container host device implementing containers for respective tenants of a multi-tenant environment. The containers are configured to utilize storage resources of at least one storage platform. A given one of the containers comprises at least one application, and an application file system security layer configured to communicate with the storage platform. The application file system security layer comprises a container storage volume supported by the storage platform, and an encryption engine configured to encrypt and decrypt data of the container storage volume utilizing one or more data encryption keys that are encrypted under a tenant-specific key encryption key. The tenant-specific key encryption key is provided to the application file system security layer by a tenant key manager that is external to the container. The tenant key manager is illustratively controlled by the tenant for which the given container is implemented.