Sounds like what you're looking for is encfs. It's FUSE layer on top of any existing FS which encrypts and decrypts on-the-fly, storing the encrypted version in the underlying filesystem. The catch is that file metadata (ownership, sizes, times) is visible, but content and names are not.
You can also use --reverse
to go the other way around: make an encrypted view of an unencrypted fs -- useful for making rsync-friendly encrypted backups.
EDIT TO ADD
As pointed out by Æsahættr, another usable option is eCryptfs. This is an in-kernel FS driver, which means root permission is required. But it's very low performance overhead and much faster then encfs in my own tests. While the implementation is quite a bit different between the two, the way you use them is nearly identical:
encfs /base_dir/ /view_dir/
# or
mount -t ecryptfs /base_dir/ /view_dir/
By default, encfs scrambles filenames while ecryptfs does not, but these options are configurable. Also, ecryptfs adds much more per-file overhead than encfs does because it stores metadata in the file itself, while encfs stores it in a hidden xml file. Also, the --reverse
option that encfs has doesn't really translate well to ecryptfs; ecryptfs has ecryptfs_encrypted_view
but it probably won't work the way you expect it to. Supposedly this is a work-in-progress.
Both can use any filesystem as a base; including, for example sshfs. But bear in mind that file ownership and permissions are stored as-is on the base filesystem, which could mean access-denied errors if you don't match things up correctly, or losing permissions completely if you base on a FS that doesn't support them.