ctr: Document that import of encrypted image requires decryption key

The import of an encrypted image requires the decryption key as proof
that one posses one of the decryption keys of the image. However, the
image will not be decrypted as part of the import. The alternative path
that does not require the decryption key is to pull the image from a
repository.

The underlying reason why one needs the key is because containerd sends
an encrypted layer to ctd-decoder which needs the decryption key for the
decryption of that layer and for the import to succeed.

It is not currently clear what the layer represents and why it is part
of an exported image. The layer that is sent for the current alpine
image is the layer with the hash ff7f8bb.. from here:

./blobs/sha256/8a1591...:
{"architecture":"amd64",[...]
 {"type":"layers",
  "diff_ids":
    ["sha256:ff7f8bbf1c81b508f82b1c59e8c2467175c0b33e58a79507f4fde8067d6f1897",
     "sha256:c32387d564776805eb144718cd41629761e1980280c9d512df358b60f9fe6ba3"]
 }
}

Signed-off-by: Stefan Berger <[email protected]>

cmd/ctr/commands/images/import.go

@@ -54,6 +54,10 @@ e.g.
 
 If foobar.tar contains an OCI ref named "latest" and anonymous ref "sha256:deadbeef", the command will create
 "foo/bar:latest" and "foo/bar@sha256:deadbeef" images in the containerd store.
+
+Import of an encrypted image requires the decryption key to be passed. Even though the image will not be
+decrypted it is required that the user proofs to be in possession of one of the decryption keys needed for
+decrypting the image later on.
 `,
 	Flags: append(append([]cli.Flag{
 		cli.StringFlag{