1.4 KB

Reverse EncFS 🐳

Provides an EncFS-enciphered view /encrypted of volumes mounted in /plain

docker run --rm --device /dev/fuse \
    -v plain-data1:/plain/foo:ro \
    -v plain-data2:/plain/bar:ro \
    -v encfs-password:/secret \
    --cap-add SYS_ADMIN --security-opt apparmor:unconfined \

Optionally add --network none

Docker Compose 🐙

  1. Adapt paths in docker-compose.yml
  2. docker-compose up


A random password will be generated and stored in /secret/password.

Set the env var $ENCFS_PASSWORD_LENGTH to change its length.

Access Encrypted Data

Add -v /somewhere:/encrypted:shared to mount the encrypted view of /plain/* into the host filesystem.

You may need to disable user namespace remapping for containers (dockerd option --userns-remap) due to .

Serve Encrypted Data via Rsync SSH Server

See examples/rsync-sshd

Grant rsync access to a gpg-encrypted view of the encfs password: examples/rsync-sshd-incl-gpg-enc-pwd

Known Issues

Mount fails with EPERM / Operation not permitted when enabling --security-opt=no-new-privileges.

fusermount must run with uid=0. no-new-privileges makes the setuid bit ineffective:

$ stat -c '%A %U %G' /bin/fusermount
-rwsr-xr-x root root