dependabot[bot] 295b5da06b build(deps): bump docker/setup-buildx-action from 2.0.0 to 2.1.0 (#16) | 2 years ago | |
---|---|---|
.github | 2 years ago | |
examples | 5 years ago | |
CHANGELOG.md | 4 years ago | |
Dockerfile | 5 years ago | |
README.md | 4 years ago | |
docker-compose.yml | 5 years ago | |
mount.sh | 4 years ago |
Provides an EncFS-enciphered view /encrypted
of volumes mounted in /plain
docker run --rm --device /dev/fuse \
-v plain-data1:/plain/foo:ro \
-v plain-data2:/plain/bar:ro \
-v encfs-password:/secret \
--cap-add SYS_ADMIN --security-opt apparmor:unconfined \
fphammerle/reverse-encfs
Optionally add --network none
docker-compose up
A random password will be generated and stored in /secret/password
.
Set the env var $ENCFS_PASSWORD_LENGTH
to change its length.
Add -v /somewhere:/encrypted:shared
to mount the encrypted view of /plain/*
into the host filesystem.
You may need to disable user namespace remapping for containers
(dockerd option --userns-remap
)
due to https://github.com/moby/moby/issues/36472 .
Grant rsync access to a gpg-encrypted view of the encfs password: examples/rsync-sshd-incl-gpg-enc-pwd
Mount fails with EPERM / Operation not permitted
when enabling --security-opt=no-new-privileges
.
fusermount
must run with uid=0
.
no-new-privileges
makes the setuid
bit ineffective:
$ stat -c '%A %U %G' /bin/fusermount
-rwsr-xr-x root root