|
@@ -24,7 +24,7 @@ A random password will be generated and stored in `/secret/password`.
|
|
|
|
|
|
Set the env var `$ENCFS_PASSWORD_LENGTH` to change its length.
|
|
|
|
|
|
-## Access encrypted data
|
|
|
+## Access Encrypted Data
|
|
|
|
|
|
Add `-v /somewhere:/encrypted:shared` to mount the encrypted view of `/plain/*` into the host filesystem.
|
|
|
|
|
@@ -32,9 +32,21 @@ You may need to disable user namespace remapping for containers
|
|
|
(dockerd option `--userns-remap`)
|
|
|
due to https://github.com/moby/moby/issues/36472 .
|
|
|
|
|
|
-## Serve encrypted data via rsync ssh server
|
|
|
+## Serve Encrypted Data via Rsync SSH Server
|
|
|
|
|
|
See [examples/rsync-sshd](examples/rsync-sshd/docker-compose.yml)
|
|
|
|
|
|
Grant rsync access to a gpg-encrypted view of the encfs password:
|
|
|
[examples/rsync-sshd-incl-gpg-enc-pwd](examples/rsync-sshd-incl-gpg-enc-pwd/docker-compose.yml)
|
|
|
+
|
|
|
+## Known Issues
|
|
|
+
|
|
|
+Mount fails with `EPERM / Operation not permitted`
|
|
|
+when enabling `--security-opt=no-new-privileges`.
|
|
|
+
|
|
|
+`fusermount` must run with `uid=0`.
|
|
|
+`no-new-privileges` makes the `setuid` bit ineffective:
|
|
|
+```sh
|
|
|
+$ stat -c '%A %U %G' /bin/fusermount
|
|
|
+-rwsr-xr-x root root
|
|
|
+```
|