Sen descrición

dependabot[bot] 37c2aa2e3e build(deps): bump docker/setup-buildx-action from 2.9.1 to 2.10.0 (#29) hai 1 ano
.github 37c2aa2e3e build(deps): bump docker/setup-buildx-action from 2.9.1 to 2.10.0 (#29) hai 1 ano
examples 289dccb342 compose example: added docker/moby src refs for mount propagation restriction %!s(int64=5) %!d(string=hai) anos
CHANGELOG.md 064209602d added changelog %!s(int64=4) %!d(string=hai) anos
Dockerfile da84af088e create mount point /encrypted/encfs during runtime to be able to mount /encrypted %!s(int64=5) %!d(string=hai) anos
README.md 0668202cf7 readme: fix capitalization %!s(int64=4) %!d(string=hai) anos
docker-compose.yml ad8ee62754 docker-compose: move rsync-sshd to new examples/rsync-sshd/docker-compose.yml %!s(int64=5) %!d(string=hai) anos
mount.sh c12b5be096 readme: document no-new-privileges issue %!s(int64=4) %!d(string=hai) anos

README.md

Reverse EncFS 🐳

Provides an EncFS-enciphered view /encrypted of volumes mounted in /plain

docker run --rm --device /dev/fuse \
    -v plain-data1:/plain/foo:ro \
    -v plain-data2:/plain/bar:ro \
    -v encfs-password:/secret \
    --cap-add SYS_ADMIN --security-opt apparmor:unconfined \
    fphammerle/reverse-encfs

Optionally add --network none

Docker Compose 🐙

  1. Adapt paths in docker-compose.yml
  2. docker-compose up

Password

A random password will be generated and stored in /secret/password.

Set the env var $ENCFS_PASSWORD_LENGTH to change its length.

Access Encrypted Data

Add -v /somewhere:/encrypted:shared to mount the encrypted view of /plain/* into the host filesystem.

You may need to disable user namespace remapping for containers (dockerd option --userns-remap) due to https://github.com/moby/moby/issues/36472 .

Serve Encrypted Data via Rsync SSH Server

See examples/rsync-sshd

Grant rsync access to a gpg-encrypted view of the encfs password: examples/rsync-sshd-incl-gpg-enc-pwd

Known Issues

Mount fails with EPERM / Operation not permitted when enabling --security-opt=no-new-privileges.

fusermount must run with uid=0. no-new-privileges makes the setuid bit ineffective:

$ stat -c '%A %U %G' /bin/fusermount
-rwsr-xr-x root root