On Sat 12 Sep 2020 at 12:10:48 (-0400), rhkra...@gmail.com wrote: > I'm thinking about putting my backup encrypted files in a LUKS filesystem > within > a file instead of on a dedicated partition (for a few reasons). > > I have two questions about that: > > * if I don't have that LUKS filesystem "mounted" and open and I write to > it, > I assume (or hope) that nothing will get written and I will get a warning or > error message of some sort?
Create a permanent mount point with the permissions set to ugo= ie nothing. If you're afraid that root will read or write to it, then instead use a script like the following: . unlock the LUKS . mkdir the mount point . mount the filesystem When finished with the container, another script: . umount the filesystem . rmdir the mount point . lock the LUKS To have the mount point cleaned up when you close down (forgetting to run the latter script), make the mount point under /tmp. > * doesn't exactly apply to this situation, but, on the other hand, if my > "source" / original / non-backup LUKS system is in a file instead of on a > dedicated partition, and I use commands (like rsync or such) to copy the > unencrypted files not on the LUKS system, but I use options like the ones to > stay on the current filesystem (--one-file-system), I assume (or hope) that > the > stuff in the encrypted partition will not get copied? I assume that --one-file-system would notice that the encrypted filesystem is read from /dev/dm-*, whereas the container file is being read from /dev/sd*, and would avoid using the former. Cheers, David.