ref: 5e1c7121ff505582d217e60d92fa6ff724e9dc53
dir: /changeblog/1755538728.txt/
Encrypted File Store on Plan 9 using cryptsetup Sometimes you just need a little writable filesystem that is encrypted and stored in a single file. Turns out there are multiple ways to do that, besides the obvious ones. This post describes a simple way to do that using cryptsetup and gefs. It is worth noting that I won't go into details about configuring gefs to do exactly what you want. Also, gefs is still considered experimental and should be used with care. Especially if you store sensitive data in that file, you should have a proper backup. ### Cryptsetup Using gefs on a file is trivial, so we start with the more complicated things: cryptsetup. Cryptsetup uses fs(3) to expose the unencrypted file as a simple disk filesystem. The stored file itself is encrypted. First, we have to create a file we can use. We use ‥‥‥dd‥‥‥ for that: [[[ms .P1 dd -if /dev/zero -bs 1024 -count 524288 > mydisk .P2 ]]] [[[ebook <code>dd -if /dev/zero -bs 1024 -count 524288 > mydisk</code> ]]] This generates a file ‥‥‥mydisk‥‥‥ with a size of roughly 500 MB (512 * 1024 = 524288). You can use ‥‥‥hoc‥‥‥ to calculate the perfect size for you. Note that gefs has a minimum file size requirement. We want to encrypt this file with cryptsetup. To do that, we first initialize the file, then make it available in ‥‥‥/dev/fs‥‥‥: [[[ms .P1 # set up file for encryption. Set password. disk/cryptsetup -f mydisk # make file available as /dev/fs/mydisk disk/cryptsetup -i mydisk .P2 ]]] [[[ebook <code><pre> # set up file for encryption. Set password. disk/cryptsetup -f mydisk # make file available as /dev/fs/mydisk disk/cryptsetup -i mydisk </pre></code> ]]] After doing that, the decrypted disk file will be available as ‥‥‥/dev/fs/mydisk‥‥‥. ### gefs With our virtual disk available in ‥‥‥/dev/fs/mydisk‥‥‥, let's use it: [[[ms .P1 # ream the disk, with $user as the owner gefs -f /dev/fs/mydisk -r $user # srv the disk as /srv/mydisk and /srv/mydisk.cmd gefs -f /dev/fs/mydisk -n mydisk .P2 ]]] [[[ebook <code><pre> # ream the disk, with $user as the owner gefs -f /dev/fs/mydisk -r $user # srv the disk as /srv/mydisk and /srv/mydisk.cmd gefs -f /dev/fs/mydisk -n mydisk </pre></code> ]]] With that set up, we can mount the disk and use it: [[[ms .P1 mount -c /srv/mydisk /n/mydisk # do something .P2 ]]] [[[ebook <code><pre> mount -c /srv/mydisk /n/mydisk # do something </pre></code> ]]] ### Shutting down the filesystem To shut down the disk and remove it from ‥‥‥/dev/fs‥‥‥, we first have to remove the only process that accesses the file ‥‥‥/dev/fs/mydisk‥‥‥ by shutting down gefs, then we can remove it from ‥‥‥/dev/fs‥‥‥. [[[ms .P1 unmount /srv/mydisk # stop gefs echo halt > /srv/mydisk.cmd # remove from /dev/fs echo del mydisk > /dev/fs/ctl .P2 ]]] [[[ebook <code></pre> unmount /srv/mydisk # stop gefs echo halt > /srv/mydisk.cmd # remove from /dev/fs echo del mydisk > /dev/fs/ctl </pre></code> ]]] When gefs is still running while you remove the disk from ‥‥‥/dev/fs‥‥‥, fs(3) will wait until the file is not used anymore, and then remove it. Regarding actual use: I haven't used this system yet. It is possible that it's very slow, but I doubt that. Gefs could eat your data, so have a good backup solution.