Browse Source

create mount point /encrypted/encfs during runtime to be able to mount /encrypted

Fabian Peter Hammerle 3 years ago
parent
commit
da84af088e
4 changed files with 38 additions and 49 deletions
  1. 6 7
      Dockerfile
  2. 12 5
      README.md
  3. 0 2
      docker-compose.yml
  4. 20 35
      mount.sh

+ 6 - 7
Dockerfile

@@ -6,22 +6,21 @@ ENV ENCFS_PASSWORD_CHARSET="1-9a-km-zA-HJKLMNPR-Z*+!&#@%.\-_" \
     ENCFS_PASSWORD_LENGTH=32 \
     ENCFS_PASSWORD_PATH=/secret/password \
     ENCFS_SOURCE_DIR=/plain \
-    ENCFS_MOUNT_POINT=/encrypted/encfs \
-    ENCFS_CONFIG_PATH=/encrypted/config/encfs6.xml \
-    ENCFS_CONFIG_GENERATION_TIMEOUT_SECS=8
+    ENCFS_TARGET_DIR=/encrypted
+
+ENV ENCFS_MOUNT_POINT=$ENCFS_TARGET_DIR/encfs \
+    ENCFS_CONFIG_COPY_PATH=$ENCFS_TARGET_DIR/encfs6.xml
 
 COPY ./mount.sh /
 RUN adduser -S encrypt \
     && mkdir -p \
         $(dirname $ENCFS_PASSWORD_PATH) \
         $ENCFS_SOURCE_DIR \
-        $ENCFS_MOUNT_POINT \
-        $(dirname $ENCFS_CONFIG_PATH) \
+        $ENCFS_TARGET_DIR \
     && chown -c encrypt \
         $(dirname $ENCFS_PASSWORD_PATH) \
         $ENCFS_SOURCE_DIR `#.encfs6xml` \
-        $ENCFS_MOUNT_POINT \
-        $(dirname $ENCFS_CONFIG_PATH) \
+        $ENCFS_TARGET_DIR \
     && echo user_allow_other >> /etc/fuse.conf \
     && chmod a+rx /mount.sh
 USER encrypt

+ 12 - 5
README.md

@@ -1,23 +1,30 @@
 # Reverse EncFS 🐳
 
-Provides an EncFS-enciphered view `/encrypted` of volumes mounted at `/plain`
+Provides an EncFS-enciphered view `/encrypted` of volumes mounted in `/plain`
 
 ```sh
 docker run --rm -it --device /dev/fuse \
-    -v plain-data:/plain/data:ro \
+    -v plain-data1:/plain/foo:ro \
+    -v plain-data2:/plain/bar:ro \
     -v encfs-password:/secret \
     --cap-add SYS_ADMIN --security-opt apparmor:unconfined \
     fphammerle/reverse-encfs
 ```
 
-Optionally add `-v encfs-config:/encrypted/config` to make `encfs6.xml` persistent.
-
 Optionally add `--network none`
 
 Or simply run `docker-compose up`
 
 ## Password
 
-The password will be randomly generated and stored in `/secret/password`.
+A random password will be generated and stored in `/secret/password`.
 
 Set the env var `$ENCFS_PASSWORD_LENGTH` to change its length.
+
+## Access encrypted data
+
+Add `-v /somewhere:/encrypted:share` to mount the encrypted view of `/plain/*` into the host filesystem.
+
+You may need to disable user namespace remapping for containers
+(dockerd option `--userns-remap`)
+due to https://github.com/moby/moby/issues/36472 .

+ 0 - 2
docker-compose.yml

@@ -3,7 +3,6 @@ version: '2'
 volumes:
   plain_data:
   encfs_password:
-  encfs_config:
 
 services:
   encfs:
@@ -12,7 +11,6 @@ services:
     volumes:
     - plain_data:/plain/data:ro
     - encfs_password:/secret
-    - encfs_config:/encrypted/config
     networks: []
     devices: [/dev/fuse]
     cap_add: [SYS_ADMIN]

+ 20 - 35
mount.sh

@@ -1,46 +1,31 @@
 #!/bin/sh
 set -e
 
+ENCFS_SOURCE_CONFIG_PATH="$ENCFS_SOURCE_DIR/.encfs6.xml"
+
 if [ ! -f "$ENCFS_PASSWORD_PATH" ]; then
-    echo generating encfs password
+    echo generating encfs password at $ENCFS_PASSWORD_PATH
     (set -x;
      tr -dc "$ENCFS_PASSWORD_CHARSET" < /dev/random | head -c "$ENCFS_PASSWORD_LENGTH" > "$ENCFS_PASSWORD_PATH")
-    [ -f "$ENCFS_CONFIG_PATH" ] && (set -x; rm "$ENCFS_CONFIG_PATH")
+    [ -f "$ENCFS_SOURCE_CONFIG_PATH" ] && (set -x; rm "$ENCFS_SOURCE_CONFIG_PATH")
 fi
 
-function mount_encfs {
-    (set -x
-     encfs --reverse "$@" \
-        --extpass="cat \"$ENCFS_PASSWORD_PATH\"" \
-        "$ENCFS_SOURCE_DIR" "$ENCFS_MOUNT_POINT")
-}
+# cave: when $ENCFS6_CONFIG is set, encfs excepts the config to already exist
+# ERROR fatal: config file specified by environment does not exist: /target/config/encfs6.xml [FileUtils.cpp:246]
+# https://github.com/vgough/encfs/issues/497
 
-if [ ! -f "$ENCFS_CONFIG_PATH" ]; then
-    # ERROR fatal: config file specified by environment does not exist: /target/config/encfs6.xml [FileUtils.cpp:246]
-    # https://github.com/vgough/encfs/issues/497
-    echo generating encfs config
-    ENCFS_DEFAULT_CONFIG_PATH="$ENCFS_SOURCE_DIR/.encfs6.xml"
-    if [ -f "$ENCFS_DEFAULT_CONFIG_PATH" ]; then
-        echo conflicting encfs config in $ENCFS_DEFAULT_CONFIG_PATH
-        exit 1
-    fi
-    mount_encfs --standard
-    while [ ! -f "$ENCFS_DEFAULT_CONFIG_PATH" ]; do
-        sleep 1
-        echo waiting for encfs config
+function copy_config {
+    sleep 4
+    while [ ! -f "$ENCFS_SOURCE_CONFIG_PATH" ]; do
+        echo waiting for encfs to create $ENCFS_SOURCE_CONFIG_PATH
+        sleep 2
     done
-    if [ -f "$ENCFS_DEFAULT_CONFIG_PATH" ]; then
-        fusermount -u "$ENCFS_MOUNT_POINT"
-        while mountpoint -q "$ENCFS_MOUNT_POINT"; do
-            echo waiting for unmount
-            sleep 1
-        done
-        (set -x; mv "$ENCFS_DEFAULT_CONFIG_PATH" "$ENCFS_CONFIG_PATH")
-    else
-        echo failed to generate encfs config
-        exit 1
-    fi
-fi
+    (set -x; cp "$ENCFS_SOURCE_CONFIG_PATH" "$ENCFS_CONFIG_COPY_PATH")
+}
 
-export ENCFS6_CONFIG="$ENCFS_CONFIG_PATH"
-mount_encfs -f -o allow_other
+copy_config &
+set -x
+mkdir -p "$ENCFS_MOUNT_POINT"
+encfs -f -o allow_other --reverse --standard \
+    --extpass="cat \"$ENCFS_PASSWORD_PATH\"" \
+    "$ENCFS_SOURCE_DIR" "$ENCFS_MOUNT_POINT"