I want to encrypt the folder which contains my org-mode files at rest separate from OS level encryption. When working on these files, I would like them to be transparently decrypted so that I can use all file-based Linux and emacs tools, git, rsync, etc. For instance, I would like to keep the files in version control in a couple of places (e.g. laptop, backup server), so I can easily push and pull incremental updates.
However, because the files are private, the files should be encrypted on the backup server except when synchronizing updates. The folder should also be encrypted at rest on my laptop, so that even if somebody manages to login to my account after a reboot, they will need an additional passphrase to decrypt my personal folder (note: my personal folder is not my /home/ folder. It could be a folder inside the home-folder or on a memory stick). I am ok with mounting the files such that they remain readable until I log-out or restart the computer. But the files should be mounted so that they do not actively have to be re-encrypted at shutdown. I.e. if there was a power-cut, or the memory stick was just removed, the data would remain encrypted until it is unlocked again.
To sum it up, the requirements are:
- folder is always encrypted at rest (no need to re-encypt at shutdown)
- folder can be mounted decrypted in a transparent fashion to allow use of standard tools (it looks like a normal folder to those tools)
- the folder can grow so I can modify and add files without having to allocate a huge amount of space upfront
- the encrypted folder should behave like a file that can be copied around without special tools and stored on any regular file-system
Bonus:
- using widely available tools only
- can be distributed as a "package" on a memory stick so I can access my files quickly on a new system (i.e. all tools required to decrypt can be shipped as stand-alone binaries)
- possible to setup multiple keys including second master key (that I would keep somewhere in case I forget the password)
What are good options available fullfill the requirements, and maybe even some of the bonuses?
