Closed taoeffect closed 6 years ago
Wow, gocryptfs on Alpine on Docker on MacOS. I'm under the impression that FUSE on Docker on Linux is already kind-of unsupported, I'm not sure if this can work on MacOS at all.
Maybe try with a common filesystem like sshfs first?
Docker on MacOS runs a Linux virtual machine, so in theory this can work if it works on Docker on Linux.
Though in practice, it brings in questions about who controls the configuration of that shared kernel, the modules it loads, &c... so I'd definitely start with more Docker-centric resources until at least one other FUSE module is working.
This is just such a cool project. I hope it works at some point, would love to use it, and it's very common for people to use Docker on macOS for development purposes before deploying to native Linux. And yes, @charles-dyfis-net is right that by default Docker on macOS runs an alpine linux kernel through QEMU (I believe).
Oh, I don't know if it's of any help, but Docker does have "volume drivers" that might be relevant. Example: https://github.com/projectatomic/docker-lvm-plugin
It looks like you need
But as to how, I'm sorry, I have no idea!
@taoeffect what's your use case for wanting to dockerize gocryptfs? i've been able to run and mount successfully on distroless. haven't checked to make sure everything's working yet tho...
It seems like one reasonable way to encrypt secrets on a VPS
I know this is old, but just in case someone is interested:
Due to the recent issues with gocryptfs deprecation in Mac due to the license change in fuse, I (successfully) tested this workaround:
The host (Mac) reads/writes via the Samba share (there is obvious performance degradation, but it's still fast enough for my needs). The data is encrypted in the volume (note: this data is backed up to a NAS, I don't care if the Docker volume gets corrupted, etc, as this setup is mostly to have an encrypted snapshot to work with when the Mac is disconnected from the home NAS).
Is this secure?... it's better than having plain files (that any root-like user can see).... but, I'd bet this has plenty of holes (feel free to share your knowledge here).
I think I'll switch to Truecrypt + osxfuse (all that can be installed via brew cask). If you have advice/thoughts, please share.
Hey @sesponda -- this same approach occurred to me. Was wondering if you could share your docker command?
Hi @heavyimage,
I've changed my system a long time ago, moving away from this solution. Unfortunately, I did not save a backup or copy of this experiment, sorry :(
Ah no worries!
A couple old dockerizations of gocryptfs
that I've seen require
--privileged --cap-add SYS_ADMIN --device /dev/fuse
be added to the docker options.
On macOS, in Docker with Alpine linux, I've only gotten so far as:
So I follow the instructions and try
modprobe fuse
, but that gives:And at this point I'm all out of ideas.