fscrypt文件加密
✅ 编译
如果你偏向可控环境(你这类用户大概率会)
1️⃣ 安装依赖
2️⃣ 编译
cd fscrypt
make
3️⃣ 安装
fscrypt has a minimal set of build dependencies:
- Go 1.23 or higher. Older versions may work but they are not tested or supported.
- A C compiler (
gccorclang) make- Headers for
libpam. Install them with the appropriate package manager:- Debian/Ubuntu:
sudo apt install libpam0g-dev - Red Hat:
sudo yum install pam-devel - Arch:
pampackage (usually installed by default)
- Debian/Ubuntu:
Once all the dependencies are installed, clone the repository by running:
git clone https://github.com/google/fscrypt
Running make builds the binary (fscrypt) and PAM module (pam_fscrypt.so) in the bin/ directory.
Running sudo make install installs fscrypt into /usr/local/bin, pam_fscrypt.so into /usr/local/lib/security, and pam_fscrypt/config into /usr/local/share/pam-configs.
On Debian (and Debian derivatives such as Ubuntu), use sudo make install PREFIX=/usr to install into /usr instead of the default of /usr/local. Ordinarily you shouldn't manually install software into /usr, since /usr is reserved for Debian's own packages. However, Debian's PAM configuration framework only recognizes configuration files in /usr, not in /usr/local. Therefore, the PAM module will only work if you install into /usr. Note: if you later decide to switch to using the Debian package libpam-fscrypt, you'll have to first manually run sudo make uninstall PREFIX=/usr.
It is also possible to use make install-bin to only install the fscrypt binary, or make install-pam to only install the PAM files.
Alternatively, if you only want to install the fscrypt binary to $GOPATH/bin, simply run:
go install github.com/google/fscrypt/cmd/fscrypt@latest
一、总体架构(你要实现的目标)
↓
systemd
↓
解锁加密目录(fscrypt)
↓
挂载完成(/data/...)
↓
Docker 启动
↓
容器访问加密数据 ✔
二、第一步:fscrypt 自动解锁(systemd)
✅ 1️⃣ 创建专用密钥文件
chmod 700 /root/.fscryptdd if=/dev/urandom of=/root/.fscrypt/keyfile bs=32 count=1
chmod 600 /root/.fscrypt/keyfile
✅ 2️⃣ 初始化 fscrypt(只做一次)
✅ 3️⃣ 用 keyfile 加密目录(关键)
mkdir -p /data/docker-secure
fscrypt encrypt /data/docker-secure \
--source=raw_key \
--key=/root/.fscrypt/keyfile
👉 这个模式的特点:
- 不依赖登录 ✔
- 可自动解锁 ✔
- 适合服务器 ✔
✅ 4️⃣ 写 systemd 服务(核心)
内容:
Description=Unlock fscrypt directories
DefaultDependencies=no
After=local-fs.target
Before=docker.service[Service]
Type=oneshot
ExecStart=/usr/local/bin/fscrypt unlock /data/docker-secure --key=/root/.fscrypt/keyfile
RemainAfterExit=yes[Install]
WantedBy=multi-user.target
✅ 5️⃣ 启用
systemctl enable fscrypt-unlock
三、第二步:Docker 启动依赖(防止启动失败)
修改 Docker 服务
写入:
After=fscrypt-unlock.service
Requires=fscrypt-unlock.service
👉 作用:
- fscrypt 没解锁 ❌ → Docker 不启动
- 保证数据可用 ✔
四、第三步:目录规划(避免踩坑)
推荐结构
/data/docker-volumes ← 普通数据
/data/docker-secure ← 加密数据(fscrypt)
容器示例
-v /data/docker-secure/mysql:/var/lib/mysql \
mysql:8
👉 注意:
/data/docker-secure 必须在 Docker 启动前解锁
五、第四步:轻量密钥托管(关键增强)
你现在用的是:
👉 这是“单点风险”,我们优化一下。
✅ 方案1(推荐):分离密钥 + 权限控制
限制:
只在 service 中读取
✅ 方案2(进阶):环境变量注入
✅ 方案3(更安全):远程解锁(可选)
👉 结合你之前搞的 WireGuard:
- 启动后不自动解锁
- 通过内网 SSH 执行解锁
👉 这就是“简化版 KMS”
六、安全加固(你这个级别必须做)
1️⃣ 限制目录权限
2️⃣ 防止 Docker 越权
daemon.json:
"userns-remap": "default"
}
3️⃣ SELinux(如果启用)
七、验证流程(必须做)
✔ 测试步骤
检查:
👉 必须满足:
- 目录已解锁 ✔
- Docker 正常 ✔
- 容器数据正常 ✔
八、关键风险说明(我必须提醒你)
❗ 1. keyfile 丢失 = 数据永久丢失
👉 必须备份:
yxbinghe
$ export GO111MODULE=on
$ export GOPROXY=https://goproxy.cn
$ echo “export GO111MODULE=on” >> ~/.profile
$ echo “export GOPROXY=https://goproxy.cn” >> ~/.profile
$ source ~/.profile