I've seen this excellent answer that explains how to use the following squashfs command to compress a disk image on-the-fly:
mkdir empty-dir
mksquashfs empty-dir squash.img -p 'sda_backup.img f 444 root root dd if=/dev/sda bs=4M'
I would like to also encrypt the image file on-the-fly. I would rather encrypt after creating the squashfs image so the encrypted image files are still as small as possible.
I would like the image to be encrypted to a public key so the backup process is unable to decrypt the backup files. I am intending to boot the machine off usb, and backup the boot drive to an encrypted image on a samba share, but I don't want to use a hardcoded key on the usb stick for obvious reasons.
I understand that because public-key encryption is slow, to encrypt a large file to a public key, it is necessary to create a random nonce, then encrypt that nonce, then use the result to encrypt the file using that as a symmetric key. I'm sure there's tools out there to do this, but I have no idea how to achieve this on my ubuntu machine.
Also, is it possible to loop-mount an encrypted file? I would much rather not have to decrypt the whole file in order to mount it. I don't mind if the image can only be mounted read-only.
