Docker / Alpine support?

[taoeffect]

On macOS, in Docker with Alpine linux, I've only gotten so far as:

~ # gocryptfs cipher plain
Password:
Decrypting master key

Your master key is:

    [key]

If the gocryptfs.conf file becomes corrupted or you ever forget your password,
there is only one hope for recovery: The master key. Print it to a piece of
paper and store it in a drawer. Use "-q" to suppress this message.

/bin/fusermount: fuse device not found, try 'modprobe fuse' first
fuse.NewServer failed: fusermount exited with code 256

So I follow the instructions and try modprobe fuse, but that gives:

# modprobe fuse
modprobe: can't change directory to '/lib/modules': No such file or directory

And at this point I'm all out of ideas.

[rfjakob]

Wow, gocryptfs on Alpine on Docker on MacOS. I'm under the impression that FUSE on Docker on Linux is already kind-of unsupported, I'm not sure if this can work on MacOS at all.

Maybe try with a common filesystem like sshfs first?

[charles-dyfis-net]

Docker on MacOS runs a Linux virtual machine, so in theory this can work if it works on Docker on Linux.

Though in practice, it brings in questions about who controls the configuration of that shared kernel, the modules it loads, &c... so I'd definitely start with more Docker-centric resources until at least one other FUSE module is working.

[taoeffect]

This is just such a cool project. I hope it works at some point, would love to use it, and it's very common for people to use Docker on macOS for development purposes before deploying to native Linux. And yes, @charles-dyfis-net is right that by default Docker on macOS runs an alpine linux kernel through QEMU (I believe).

[taoeffect]

Oh, I don't know if it's of any help, but Docker does have "volume drivers" that might be relevant. Example: https://github.com/projectatomic/docker-lvm-plugin

[rfjakob]

It looks like you need

• The Linux kernel that Docker starts must have FUSE active
• Your container needs permission to use /dev/fuse (https://github.com/moby/moby/issues/514#issuecomment-239334271)

But as to how, I'm sorry, I have no idea!

[thekelvinliu]

@taoeffect what's your use case for wanting to dockerize gocryptfs? i've been able to run and mount successfully on distroless. haven't checked to make sure everything's working yet tho...

[taoeffect]

It seems like one reasonable way to encrypt secrets on a VPS

[sesponda]

I know this is old, but just in case someone is interested:

Due to the recent issues with gocryptfs deprecation in Mac due to the license change in fuse, I (successfully) tested this workaround:

• Docker image (Alpine based) including gocryptfs and samba.
• I mount this image mapped to a permanent volume.
• In the container, I fire up Samba and manually start gocryptfs.

The host (Mac) reads/writes via the Samba share (there is obvious performance degradation, but it's still fast enough for my needs). The data is encrypted in the volume (note: this data is backed up to a NAS, I don't care if the Docker volume gets corrupted, etc, as this setup is mostly to have an encrypted snapshot to work with when the Mac is disconnected from the home NAS).

Is this secure?... it's better than having plain files (that any root-like user can see).... but, I'd bet this has plenty of holes (feel free to share your knowledge here).

I think I'll switch to Truecrypt + osxfuse (all that can be installed via brew cask). If you have advice/thoughts, please share.

[heavyimage]

Hey @sesponda -- this same approach occurred to me. Was wondering if you could share your docker command?

[sesponda]

Hi @heavyimage,

I've changed my system a long time ago, moving away from this solution. Unfortunately, I did not save a backup or copy of this experiment, sorry :(

[heavyimage]

Ah no worries!

[deutrino]

A couple old dockerizations of gocryptfs that I've seen require

--privileged --cap-add SYS_ADMIN --device /dev/fuse

be added to the docker options.