In a desperate attempt to get any kind of hard disk encryption running in a non-privileged container, I am trying to use native ext4 encryption. I have created an ext4 file system on the host using mkfs.ext4 -O encrypt and then mounted it on / of my container using the dir driver.
No one seems to actually be using ext4 encryption, so it is hard to find any proper documentation on it. It seems that the functionality is built into the Linux kernel and there are two common command-line utils to use it: e4crypt provided by e2fsprogs and fscrypt made by Google. I have tried both and gotten a Permission denied error with both.
Here is what I’m running inside the container:
[root@test ~]# e4crypt add_key
Enter passphrase (echo disabled):
Added key with descriptor [5f23c1bfa081cfc5]
[root@test /]# e4crypt set_policy 5f23c1bfa081cfc5 srv.enc
Error [Permission denied] setting policy.
The key descriptor [5f23c1bfa081cfc5] may not match the existing encryption context for directory [srv.enc].
[root@test /]# ~/go/bin/fscrypt setup
Defaulting to policy_version 2 because kernel supports it.
Customizing passphrase hashing difficulty for this system...
Created global config file at "/etc/fscrypt.conf".
Metadata directories created at "/.fscrypt".
[root@test /]# ~/go/bin/fscrypt encrypt srv.enc
The following protector sources are available:
1 - Your login passphrase (pam_passphrase)
2 - A custom passphrase (custom_passphrase)
3 - A raw 256-bit key (raw_key)
Enter the source number for the new protector [2 - custom_passphrase]:
Enter a name for the new protector: test
Enter custom passphrase for protector "test":
Confirm passphrase:
[ERROR] fscrypt encrypt: failed to set encryption policy on "srv.enc": permission denied
strace shows the following call as failing:
ioctl(3, FS_IOC_SET_ENCRYPTION_POLICY, 0x7ffc5963e834) = -1 EACCES (Permission denied)
Is there some way how I can give the container permission to use ext4 encryption?