Skip to content

fphammerle/rgpgfs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

53 Commits
docker
docker
Β 
Β 
examples/rsync-sshd
examples/rsync-sshd
Β 
Β 
src
src
Β 
Β 
tests
tests
Β 
Β 
.dockerignore
.dockerignore
Β 
Β 
.gitignore
.gitignore
Β 
Β 
Dockerfile
Dockerfile
Β 
Β 
Makefile
Makefile
Β 
Β 
README.md
README.md
Β 
Β 
docker-compose.yml
docker-compose.yml
Β 
Β 

Repository files navigation

rgpgfs πŸ’Ύ πŸ”

PoC: PGP/GPG-enciphered view of plain directories

Mounting & unmounting does not require setuid, sudo, root ...

Build

Run make after installing libfuse and gpgme.

Debian / Ubuntu

apt-get install libfuse3-dev libgpgme-dev
make

Docker 🐳

docker build --target build -t rgpgfs .

Usage

rgpgfs -r [fingerprint] [mountpoint]
# or
rgpgfs --recipient=[fingerprint] [mountpoint]
# or
rgpgfs -o recipient=[fingerprint] [mountpoint]

rgpgfs will refuse to encrypt with untrusted keys. See gpg -k [fingerprint].

Example

Mount encrypted view of / in ~/rgpgfs:

$ rgpgfs --recipient 1234567890ABCDEF1234567890ABCDEF12345678 ~/rgpgfs

$ ls -1 ~/rgpfs/var/log/syslog.*
/home/me/rgpgfs/var/log/syslog.gpg
/home/me/rgpgfs/var/log/syslog.1.gpg
/home/me/rgpgfs/var/log/syslog.2.gz.gpg
/home/me/rgpgfs/var/log/syslog.3.gz.gpg

$ gpg --decrypt --for-your-eyes-only /home/me/rgpgfs/var/log/syslog.gpg | wc -l
gpg: encrypted with 4096-bit RSA key, ID 89ABCDEF12345678, created 2019-03-30
      "someone <[email protected]>"
3141

Change source directory

rgpgfs -o modules=subdir -o subdir=/source/dir /mount/point

Docker 🐳

Mount an enciphered view of named volume plain-data at /mnt/rgpgfs:

docker run --rm \
    --device /dev/fuse --cap-add SYS_ADMIN \
    -e RECIPIENT=1234567890ABCDEF1234567890ABCDEF12345678 \
    -v plain-data:/plain:ro \
    -v /mnt/rgpgfs:/encrypted:shared \
    fphammerle/rgpgfs

Interactively:

host$ mkdir /mnt/rgpgfs && chmod a+rwx /mnt/rgpgfs
host$ docker run --rm -it \
    -v plain-data:/plain:ro \
    -v /mnt/rgpgfs:/enc:shared \
    --device /dev/fuse --cap-add SYS_ADMIN \
    fphammerle/rgpgfs ash
container$ ls /plain
example.txt
container$ gpg --recv-keys 1234567890ABCDEF1234567890ABCDEF12345678
container$ gpg --edit-key 1234567890ABCDEF1234567890ABCDEF12345678
container gpg> trust
container gpg> 5
container gpg> quit
container$ rgpgfs -o allow_other,modules=subdir,subdir=/plain,recipient=12345678 /enc
container$ ls /enc
example.txt.gpg
# meanwhile in another shell:
host$ ls /mnt/rgpgfs
example.txt.gpg

When AppArmor is enabled you may need to add --security-opt apparmor:unconfined.

You may need to disable user namespace remapping for containers (dockerd option --userns-remap) due to moby/moby#36472 .

Docker Compose πŸ™

  1. Adapt paths & recipient in docker-compose.yml
  2. docker-compose up

Serve encrypted data via rsync ssh server

See examples/rsync-sshd

About

PoC: Mount PGP/GPG-enciphered view of plain directories via FUSE πŸ’Ύ πŸ”

hub.docker.com/r/fphammerle/rgpgfs

Topics

docker pgp gnupg gpgme fuse-filesystem file-encryption

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases 2

0.1.1 Latest
Apr 4, 2019
+ 1 release

Packages

No packages published

Languages