Last active
January 25, 2024 15:49
-
-
Save keo/00f20ef27eddcdae78ab to your computer and use it in GitHub Desktop.
Setup encrypted partition for Docker containers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Setup encrypted disk image | |
| # For Ubuntu 14.04 LTS | |
| CRYPTFS_ROOT=/cryptfs | |
| apt-get update | |
| apt-get -y upgrade | |
| apt-get -y install cryptsetup | |
| mkdir -p $CRYPTFS_ROOT | |
| dd if=/dev/zero of=$CRYPTFS_ROOT/swap bs=1M count=2048 | |
| truncate -s 20G $CRYPTFS_ROOT/disk | |
| chmod -R 700 "$CRYPTFS_ROOT" | |
| LOOP_DEVICE=$(losetup -f) | |
| losetup $LOOP_DEVICE $CRYPTFS_ROOT/disk | |
| badblocks -s -w -t random -v $LOOP_DEVICE | |
| cryptsetup -y luksFormat $LOOP_DEVICE | |
| cryptsetup luksOpen $LOOP_DEVICE cryptfs | |
| mkfs.ext4 /dev/mapper/cryptfs | |
| mkdir -p /mnt/cryptfs | |
| mount /dev/mapper/cryptfs /mnt/cryptfs | |
| # Setup bind mounts for Docker | |
| for DIR_NAME in home var/lib/docker | |
| do | |
| mkdir -p "/mnt/cryptfs/${DIR_NAME}" | |
| mkdir -p "/$DIR_NAME" | |
| mount --bind /mnt/cryptfs/${DIR_NAME} /$DIR_NAME | |
| done | |
| apt-get -y install docker.io | |
| ln -sf /usr/bin/docker.io /usr/local/bin/docker | |
| update-rc.d -n docker.io stop 70 0 1 2 3 4 5 6 . |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| CRYPTFS_ROOT=/cryptfs | |
| LOOP_DEVICE=$(losetup -f) | |
| losetup $LOOP_DEVICE $CRYPTFS_ROOT/disk | |
| cryptsetup luksOpen $LOOP_DEVICE cryptfs | |
| mkdir -p /mnt/cryptfs | |
| mount /dev/mapper/cryptfs /mnt/cryptfs | |
| # Setup bind mounts for Docker | |
| for DIR_NAME in home var/lib/docker | |
| do | |
| mkdir -p "/mnt/cryptfs/${DIR_NAME}" | |
| mkdir -p "/$DIR_NAME" | |
| mount --bind /mnt/cryptfs/${DIR_NAME} /$DIR_NAME | |
| done | |
| service docker.io start |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| CRYPTFS_ROOT=/cryptfs | |
| LOOP_DEVICE=$(losetup -a | grep $CRYPTFS_ROOT | grep -oP "^[^:]*") | |
| service docker.io stop | |
| for DIR_NAME in home var/lib/docker; do | |
| umount /$DIR_NAME | |
| done | |
| umount /mnt/cryptfs | |
| cryptsetup luksClose cryptfs | |
| losetup -d $LOOP_DEVICE |
The scripts encrypt the docker disk in host OS. Is there any way to encrypt the root partition in docker image?
A possible alternative: https://github.com/containers/docker-lvm-plugin
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, I use Ubuntu 14.04, at the end of
bootstrap.shscript (update-rc.d -n docker.io stop 70 0 1 2 3 4 5 6 .) I got an error:but docker is running:
I had it already installed and the init script was at /etc/init.d/docker, so I had to change
-n docker.ioto-n docker.