Re: Two questions about LUKS in a file container
On Sat 12 Sep 2020 at 12:10:48 (-0400), rhkramer@gmail.com wrote:
> I'm thinking about putting my backup encrypted files in a LUKS filesystem within
> a file instead of on a dedicated partition (for a few reasons).
>
> I have two questions about that:
>
> * if I don't have that LUKS filesystem "mounted" and open and I write to it,
> I assume (or hope) that nothing will get written and I will get a warning or
> error message of some sort?
Create a permanent mount point with the permissions set to ugo=
ie nothing.
If you're afraid that root will read or write to it,
then instead use a script like the following:
. unlock the LUKS
. mkdir the mount point
. mount the filesystem
When finished with the container, another script:
. umount the filesystem
. rmdir the mount point
. lock the LUKS
To have the mount point cleaned up when you close down (forgetting to run
the latter script), make the mount point under /tmp.
> * doesn't exactly apply to this situation, but, on the other hand, if my
> "source" / original / non-backup LUKS system is in a file instead of on a
> dedicated partition, and I use commands (like rsync or such) to copy the
> unencrypted files not on the LUKS system, but I use options like the ones to
> stay on the current filesystem (--one-file-system), I assume (or hope) that the
> stuff in the encrypted partition will not get copied?
I assume that --one-file-system would notice that the encrypted
filesystem is read from /dev/dm-*, whereas the container file is
being read from /dev/sd*, and would avoid using the former.
Cheers,
David.
Reply to: