ref: ed89f165e975eee6654d20dc691335cab78391ba
parent: 972b0cbab901907c7593b29dfb9cdd881dd6781f
author: sirjofri <sirjofri@sirjofri.de>
date: Mon Aug 18 14:06:27 EDT 2025
adds cryptsetup blog post
--- /dev/null
+++ b/changeblog/1755538728.txt
@@ -1,0 +1,118 @@
+Encrypted File Store on Plan 9 using cryptsetup
+
+Sometimes you just need a little writable filesystem that is encrypted and stored in a single file.
+Turns out there are multiple ways to do that, besides the obvious ones.
+
+This post describes a simple way to do that using cryptsetup and gefs.
+It is worth noting that I won't go into details about configuring gefs to do exactly what you want.
+Also, gefs is still considered experimental and should be used with care.
+Especially if you store sensitive data in that file, you should have a proper backup.
+
+### Cryptsetup
+
+Using gefs on a file is trivial, so we start with the more complicated things: cryptsetup.
+Cryptsetup uses fs(3) to expose the unencrypted file as a simple disk filesystem.
+The stored file itself is encrypted.
+First, we have to create a file we can use.
+We use ‥‥‥dd‥‥‥ for that:
+
+[[[ms
+.P1
+dd -if /dev/zero -bs 1024 -count 524288 > mydisk
+.P2
+]]]
+[[[ebook
+<code>dd -if /dev/zero -bs 1024 -count 524288 > mydisk
+]]]
+
+This generates a file ‥‥‥mydisk‥‥‥ with a size of roughly 500 MB (512 * 1024 = 524288).
+You can use ‥‥‥hoc‥‥‥ to calculate the perfect size for you.
+
+Note that gefs has a minimum file size requirement.
+
+We want to encrypt this file with cryptsetup.
+To do that, we first initialize the file, then make it available in ‥‥‥/dev/fs‥‥‥:
+
+[[[ms
+.P1
+# set up file for encryption. Set password.
+disk/cryptsetup -f mydisk
+# make file available as /dev/fs/mydisk
+disk/cryptsetup -i mydisk
+.P2
+]]]
+[[[ebook
+<code><pre>
+# set up file for encryption. Set password.
+disk/cryptsetup -f mydisk
+# make file available as /dev/fs/mydisk
+disk/cryptsetup -i mydisk
+</pre></code>
+]]]
+
+After doing that, the decrypted disk file will be available as ‥‥‥/dev/fs/mydisk‥‥‥.
+
+### gefs
+
+With our virtual disk available in ‥‥‥/dev/fs/mydisk‥‥‥, let's use it:
+
+[[[ms
+.P1
+# ream the disk, with $user as the owner
+gefs -f /dev/fs/mydisk -r $user
+# srv the disk as /srv/mydisk and /srv/mydisk.cmd
+gefs -f /dev/fs/mydisk -n mydisk
+.P2
+]]]
+[[[ebook
+<code><pre>
+# ream the disk, with $user as the owner
+gefs -f /dev/fs/mydisk -r $user
+# srv the disk as /srv/mydisk and /srv/mydisk.cmd
+gefs -f /dev/fs/mydisk -n mydisk
+</pre></code>
+]]]
+
+With that set up, we can mount the disk and use it:
+
+[[[ms
+.P1
+mount -c /srv/mydisk /n/mydisk
+# do something
+.P2
+]]]
+[[[ebook
+<code><pre>
+mount -c /srv/mydisk /n/mydisk
+# do something
+</pre></code>
+]]]
+
+### Shutting down the filesystem
+
+To shut down the disk and remove it from ‥‥‥/dev/fs‥‥‥, we first have to remove the only process that accesses the file ‥‥‥/dev/fs/mydisk‥‥‥ by shutting down gefs, then we can remove it from ‥‥‥/dev/fs‥‥‥.
+
+[[[ms
+.P1
+unmount /srv/mydisk
+# stop gefs
+echo halt > /srv/mydisk.cmd
+# remove from /dev/fs
+echo del mydisk > /dev/fs/ctl
+.P2
+]]]
+[[[ebook
+<code></pre>
+unmount /srv/mydisk
+# stop gefs
+echo halt > /srv/mydisk.cmd
+# remove from /dev/fs
+echo del mydisk > /dev/fs/ctl
+</pre></code>
+]]]
+
+When gefs is still running while you remove the disk from ‥‥‥/dev/fs‥‥‥, fs(3) will wait until the file is not used anymore, and then remove it.
+
+Regarding actual use: I haven't used this system yet.
+It is possible that it's very slow, but I doubt that.
+Gefs could eat your data, so have a good backup solution.
--
⑨