encfs is doing the job well however it is unmaintained and not recommended by its designer that proposes to use gocryptfs instead.

A simple method is encfs: http://www.arg0.net/#!encfs/c1awt. Actually it is not an encrypted file system, it uses regular directories and regular files on the hard disk. It encrypts the files, but not the file system.

Real encrypted file systems are more tricky to handle and therefore more vulnerable to loose data. If a crash would happen everything would have been gone. Additionally synchronization tools might not be able to access encrypted file systems.

To not have all those side effects encfs might be the desirable solution. The probability that encfs crashes is much lower since regular well tested file systems (as ext2) are used, but if a crash would happen you could even copy the encrypted files on a memory stick and knowing the password rescue their content.

Usually encfs uses a hidden directory named .crypt with all the encrypted data, for every file and directory there is a encrypted equivalent. Additionally it makes use of a mounting point crypt. Once mounted requiring a password, the encrypted files from .crypt can be accessed unencrypted as normal ones in the crypt directory.

encfs uses the kernel module fuse (from the kernel source or as separate package) that makes the link from the kernel to user space.

Install also the fuse packet, since it adds additional libraries.

See man encfs for all options

To mount but also to create the encrypted file systems (with absolute paths):

encfs~/<some_path>/.crypt ~/<some_path>/crypt

A prompt for the password appears.

When the password got accepted, files and directories can be accessed in crypt and their encrypted twins appear in .crypt

When finished unmount it:

fusermount -u ~/<some_path>/crypt

In case a new .crypt directory gets created encfs prompts for options and passwords. The .crypt/.encfs<n>.xml holds the data and encrypted passwords in the directory.

For changes to the Encfs directory, see info about the encryption encfsctl info .crypt

To change the password once a while do the following. With the not mounted crypt-ed directory, change to the Encfs directory where ls -a shows you the .crypt directory and:

encfsctl passwd .crypt

gencfs is a simple GUI: http://www.linurs.org/gencfs.html

gocryptfs is considered to be a successor of the no more maintained encfs. https://nuetzlich.net/gocrypshttps://github.com/rfjakob/gocryptfs

It supports fido2 keys to login

It uses a directory as somewhere under ~ to hold all the encrypted files and directories and configuration. Since the encrypted files and directories are regular files and directory regular backup is possible.

Additional a directory served as mounting point to access the decrypted files and directories is required. To not cause conflicts with a backup procedure this mounting point could be put somewhere under /run/user/<uid>

See man gocryptfs and https://wiki.archlinux.org/title/Gocryptfs

gocryptfs -speed to see what can be used at what speed

gocryptfs -init <directory to be encrypted> to set the password and get a master-key that should be printed and hidden in case the password gets forgotten

The configuration goes into in gocryptfs.conf

gocryptfs <directory><mounting point> to mount it

fusermount -u <directory> to unmount it

Also gocryptfs.diriv files are created those contain keys to be used to crypt the filenames in the same directory.