The generally available release of Singularity 3.4.0 places emphasis on a single feature:
The ability to build and run encrypted containers. We appreciate that some might object to our propensity towards hyperbole, given that seemingly sweeping statement. And that’s precisely what makes this release, frankly, a remarkable one; to quote from the release notes:
The major new feature of this release is the ability to build and run encrypted containers. These containers are encrypted at rest, in transit, and even while running! There is no intermediate decrypted rootfs left around upon termination. Data is decrypted totally in kernel space.
In other words, Singularity containers remain encrypted throughout their entire lifecycle – when they are created, when they are at rest or transferred around, and yes, even when they are in use. Owing to their use of kernel space for data decryption, there is no need to clean up a decrypted rootfs upon termination…
Read more at HPCwire