fscrypt

Dockerfile:

FROM ubuntu:24.04

# fscrypt doesn't support SSHFS, SAMBA, or NFS; only ext4

RUN DEBIAN_FRONTEND=noninteractive \
apt-get update && \
apt-get install --no-install-recommends -y \
ca-certificates gcc golang-go libpam0g-dev make vim && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*

SHELL ["/bin/bash", "-c"]

# Check kernel supports EXT4 encryption
RUN zgrep -h ENCRYPTION /proc/config.gz /boot/config-$(uname -r) | sort | uniq

# Install fscrypt
RUN go install github.com/google/fscrypt/cmd/fscrypt@latest

# Update PATH at build time
ENV PATH="$PATH:/root/go/bin"
# Commit PATH for run time
RUN echo "export PATH=\"$PATH:/root/go/bin\"" >> /root/.bashrc

# Check everything is ready
RUN fscrypt --help

 

docker-compose.yml:

services:
  fscrypt:
    build:
      context: .
      dockerfile: Dockerfile
    privileged: true

 

Commands:

# Create fscrypt key:
head --bytes=32 /dev/urandom > secret.key
cat secret.key | hexdump -C
fscrypt encrypt /mnt/disk/dir3 --key=secret.key --source=raw_key --name=Skeleton

fscrypt status
# Create global config file:
fscrypt setup --all-users
fscrypt setup --all-users /base/
fscrypt encrypt --user=root --name=protector --key=secret.key --source=raw_key /base/backup
fscrypt status
fscrypt status /base/backup
fscrypt lock --user=root /base/backup
fscrypt unlock --user=root --key=secret.key /base/backup

---