veracrypt-mount icon indicating copy to clipboard operation
veracrypt-mount copied to clipboard
verified publisher icon tomerh2001

Files don't appear on other service

Open tourshi opened this issue 2 years ago • 3 comments

Hi, I really like the idea of your project, but have had a hard time getting it to work. The files appear to mount correctly in the Veracrypt container but are not accessible from the other service that i have (in a docker compose file). Am I missing something here? I could not get it to work for the life of me. Tried changing permissions (to allow all users access), tried tinkering with order of which containers start up.. couldn't get it to work. My docker compose file is the same as the example one.

Are there any other things I need to do to ensure veracrypt files can be accessed from the other service?

Thanks!

tourshi avatar Nov 24 '23 19:11 tourshi

I have the same issue. I can see within the container the files are mounted correctly, and I changed permissions on everything to all users, but I still cannot see the files outside of the container on the host. If the Veracrypt container is not mounted to the shared volume, I can manually create a file within the Docker container, and it will reflect on the host machine, which confirms that the volume mapping is correct.

am4to5 avatar Mar 18 '24 02:03 am4to5

In my opinion, the docker-compose example won't work as it is. It is using a volume "decrypted", which is nowhere mentioned in the entrypoint.sh - I am not sure how it should be supposed to work. There may be missing a crucial part. I tried mounting the veracrypt file onto the given volume inside the container, but it says "mountpoint is already in use". Same happened, when I used a bind instead of a volume. It then worked after mounting the veracrypt file into a subfolder of the bind and setting the bind propagation to shared. This trick can unfortunately not be used with a volume, as they don't support bind propagation. Thus, be aware, that this exposes the files also to your host.

  1. I disregarded the sub folder stuff in my case.
  2. Make a dir on your host: mkdir /tmp/decrypted
  3. Build a new image from a Dockerfile using the following veracrypt command in the entrypoint.sh: veracrypt --text --non-interactive --password="$VERACRYPT_PASSWORD" /encrypted-file /decrypted/content
  4. docker-compose, which uses a bind mound with shared propagation
version: '3.8'

services:
  veracrypt:
    image: your/new-image
    environment:
      - VERACRYPT_PASSWORD=supersecret
    volumes:
      - /path/to/encrypted-file:/encrypted-file
      - /tmp/decrypted:/decrypted:shared

  other-service:
    image: your/other-service
    depends_on:
      - veracrypt

    volumes:
      - /tmp/decrypted/content:/path/in/other-service

volumes:

Purpose of the shared bind propagation is to propagate sub-mounts of the original mount. As the original mount is already in use, we cannot use it to with veracrypt. https://docs.docker.com/storage/bind-mounts/#configure-bind-propagation

Nota bene: When stopping the stack, file names may rename visible in your host, when you don't unmount properly from inside the container: truecrypt -d There may be some ways to catch the shutdown signal and dismount automatically, when the container stops.

mkrist1 avatar Mar 18 '24 06:03 mkrist1

This lines up well with everything I tried and discovered. This project is a great concept, but I'm not yet seeing how it would work in reality.

am4to5 avatar Mar 18 '24 10:03 am4to5