Is there a way to produce an encrypted unprivileged container, or to encrypt the entire container after its conception?
There is no direct support for encryption in LXC or LXD but there are ways around that.
For LXC, you could keep the container config outside of encrypted storage, then have a mount hook for the container which sets up the roots from your encrypted partition. That’d be a custom hook script you’d need to write.
The alternative and something that would work for both LXC and LXD is to setup a container storage path (or storage pool in LXD’s case) which is stored on encrypted storage. It’d then be up to you to make sure that this encrypted storage is mounted prior to starting any containers.
Thanks for the feedback. Neither workaround is attractive since relying on the host storage (path/partition) being encrypted, which is already the case.
Had been looking for the encryption being independent of its host, perhaps like mentioned here https://github.com/lxc/lxd/issues/3990, but thtat seems LXD specific though.