OP, test the performance of LUKS image, VeraCrypt (if entertaining that) and Cryptomator and tell us how they perform and let us know! 😁

You could run a small set of fio runs to test sequential, random and parallel perf.

The host mounts no LUKS. The host just exports a network share via NFS. The client mounts that NFS share to a local mount pount. Then the client has a dir which actually resides on the host. So far completely standard NAS stuff. Then the client creates a file in that dir. E.g. secretcontainer.img. This file is then encrypted on the client using cryptsetup (LUKS). Then it’s mounted on the client using LUKS. All the LUKS stuff happens on the client. The only interaction with the host is throgh NFS. The host just sees a file appear called secretcontainer.img on its storage. The same idea would work with VeraCrypt instead of LUKS. Or Cryptomator. Or anything else that can store encrypted data in file(s) in a directory.

LUKS can be used on a single file where the file acts as a disk device.

Also what I’m describing here is bog-standard Linux functionality that’s existed at least for 2 decades. Nothing fancy. It’s stuff that’s good to know so I’d be happy to answer questions.

E:

The procedure on the client is roughly:

cd /network/share/mountpoint
fallocate -l 1G test.img
cryptsetup luksFormat test.img
cryptsetup open test.img test_decrypted
mkfs.ext4 /dev/mapper/test_decrypted
mount /dev/mapper/test_decrypted /mnt

Once that’s done, subsequent uses are:

cryptsetup open test.img test_decrypted
mount /dev/mapper/test_decrypted /mnt

Of course that can be automated further.

Just tested it in a local dir and it works fine. The only difference between that and the real scenario is whether test.img resides on a network mount or local disk. Since the network mounts behave like normal disks, everything else works the same. The only concern is what the performance would be, which depends on how the underlying network fs handles reads/writes to test.img. E.g. if you change 0.5MB, does it send that 0.5MB or does it rewrite the whole 1GB file. When reading, does it have to read the whole 1GB file or just parts of it as needed. Etc.

Please do VS Code. 😁

Cryptomator encrypts files individually right?

E:

For the curious like me, here’s how Cryptomator makes a directory with multiple encrypted files appear as a single vol when decrypted. From mount:

fuse-nio-adapter on $HOME/.local/share/Cryptomator/mnt/test type fuse.fuse-nio-adapter (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)

It uses its own fuse module to present it as a volume. The real directory has its own file structure:

~/test/test$ find
.
./c
./vault.cryptomator
./vault.cryptomator.12A05032.bkup
./d
./d/LO
./d/LO/AYYSWMZO35ASQ2HOACU3I7LRVIAMH4
./d/LO/AYYSWMZO35ASQ2HOACU3I7LRVIAMH4/PmAyroZAF5W7kGoHxr3Fhi-NeQIeO7SZcufE.c9r
./d/LO/AYYSWMZO35ASQ2HOACU3I7LRVIAMH4/dirid.c9r
./IMPORTANT.rtf
./masterkey.cryptomator.7DB56291.bkup
./masterkey.cryptomator

This looks like a good option. Perhaps more flexible than using LUKS/VeraCrypt file, but those should work too if the underlying dir is on NFS/SAMBA.

Not sure I’m getting you and probably didn’t explain myself well. Here’s what I mean:

• Host exposes a network share (1-time setup)
• Client mounts the network share (N-time setup, could be automated)
• Client creates a LUKS or VeraCrypt (or something else) file in that network share, secured with their key. The key is generated on the client and it doesn’t leave the client or enter the host. (1-time setup)
• Client decrypts the image with their key and mounts it on the client (N-time setup, can be automated)
• Client modifies data in the decrypted vol
• Client unmounts the volume (N-time, not required)
• Client unmounts the network share (N-time, not required)

At no point does the client’s key leave their computer and the host only ever sees encrypted data.

Subsequent uses without automation:

• Client mounts network share
• Client decrypts volume

That’s at least how I understood OP’s suggestion for putting LUKS images on the NAS and that is secure indeed. They’re worried about performance.

LUKS-encrypted images won’t have bad performance. Could also use VeraCrypt or something like that for better portability if you need cross-platform function. Expose the folders where the images are stored via NFS/SAMBA. Flexible and portable solution.

You could expose volumes with iSCSI and format/mount them on the clients. Probably don’t want to do that.

E:

LUKS-encrypted images won’t have bad performance.

Actually it depends whether the underlying network fs can do partial writes. I imagine both NFS and SAMBA can. If the file has to be fully rewritten with every change, then perf would be dead.

Marx entered the chat

Now I know one belief. I believe you’re right about the rest. :D

Buddy, the useful thing you want do with it is also socially impermissible.

You believe the banker profession hasn’t been hollowed out by the radical belief in markets taking care of everything? Hollowed out as in losing the skillset needed to take care of business in back alleys. 😄

Glad to lighten up the day!

Hm. I could self-host that.

True for sure. Also the source is TASS. On the other hand it’s also true that Israel has interest in toppling the Iranian regime. It’s a well established fact that Israel 's Mossad operates within Iran and funnelling weapons furthers that interest. I don’t doubt Israel has done whatever they could to help the protest topple the regime, and I also don’t doubt the Iranian regime did what they could to pin this on Israel and other foreign actors to deflect responsibility.

That’s how the meme goes though. Anytime someone suggests, says something positive about one of vim or emacs, the response should be that they should use the other. 😄

It’s an almost 40-year-old flame war.

“Here in the Democratic party what we do is separately bitch about something, but never, and I mean *when it doesn’t benefit our big donors* use our power collectively to try to affect change. The most we’ll do is put on a show and then cave in.”

FTFY

If it’s this useful, we’re (and them) fucked too because the economy would collapse under falling aggregate demand due to falling wages and layoffs. The “people will find new jobs” won’t save us from a shift this large without a depression. And all sorts of things happen during depressions.

How large is the dump and does it have images in it?

You really should use vim though.