I am building a system that will hold sensitive user data.
which means that I need to prevent any access to the state database outside the chaincode process.
also if I am publishing the database as a docker image, how do I make sure that the peer uses that specific database image, and not a tampered one.
How to prevent access to the state database outside the chaincode process
You need to ensure 2 things:
The first problem can be mitigated by encrypting the data, and the second problem can be mitigated by having the chaincode attach a MAC (Message Authentication Code) tag to every item it writes, and also validate the MAC tag of any item it reads, and if the tag is invalid then return an error.
Worth to mention that you should MAC the ciphertext and not encrypt the MAC (first encrypt, then MAC).
also if I am publishing the database as a docker image, how do I make sure that the peer uses that specific database image, and not a tampered one.
If the chaincode has the MAC key embedded inside of it, then the database image you publish will contain records that the chaincode did not produce (hence, did not attach appropritate MAC tags to it) then it will be detected.
The problem is that a malicious administrator could also provide the peer with a valid database container but from the past.
There is another option you can investigate which is Fabric Private Chaincode which uses the Intel SGX TEE(Trusted Execution Environment) feature.