Encrypted File Store on Plan 9 using cryptsetup
Mon, 18 Aug 25 19:38:48 CESSometimes you just need a little writable filesystem that is encrypted and stored in a single file. Turns out there are multiple ways to do that, besides the obvious ones.
This post describes a simple way to do that using cryptsetup and gefs. It is worth noting that I won't go into details about configuring gefs to do exactly what you want. Also, gefs is still considered experimental and should be used with care. Especially if you store sensitive data in that file, you should have a proper backup.
Cryptsetup
Using gefs on a file is trivial, so we start with the more complicated things: cryptsetup.
Cryptsetup uses fs(3) to expose the unencrypted file as a simple disk filesystem.
The stored file itself is encrypted.
First, we have to create a file we can use.
We use dd for that:
dd -if /dev/zero -bs 1024 -count 524288 > mydisk
This generates a file mydisk with a size of roughly 500 MB (512 * 1024 = 524288).
You can use hoc to calculate the perfect size for you.
Note that gefs has a minimum file size requirement.
We want to encrypt this file with cryptsetup.
To do that, we first initialize the file, then make it available in /dev/fs:
# set up file for encryption. Set password.
disk/cryptsetup -f mydisk
# make file available as /dev/fs/mydisk
disk/cryptsetup -i mydisk
After doing that, the decrypted disk file will be available as /dev/fs/mydisk.
gefs
With our virtual disk available in /dev/fs/mydisk, let's use it:
# ream the disk, with $user as the owner
gefs -f /dev/fs/mydisk -r $user
# srv the disk as /srv/mydisk and /srv/mydisk.cmd
gefs -f /dev/fs/mydisk -n mydisk
With that set up, we can mount the disk and use it:
mount -c /srv/mydisk /n/mydisk
# do something
Shutting down the filesystem
To shut down the disk and remove it from /dev/fs, we first have to remove the only process that accesses the file /dev/fs/mydisk by shutting down gefs, then we can remove it from /dev/fs.
unmount /srv/mydisk
# stop gefs
echo halt > /srv/mydisk.cmd
# remove from /dev/fs
echo del mydisk > /dev/fs/ctl
When gefs is still running while you remove the disk from /dev/fs, fs(3) will wait until the file is not used anymore, and then remove it.
Regarding actual use: I haven't used this system yet. It is possible that it's very slow, but I doubt that. Gefs could eat your data, so have a good backup solution.