EncFS is one of the easiest tools for file level encryption for a single node interactive job.
*** This tool is not recommended for use with batch or multi-node interactive jobs. ***
Though it is possible to use EncFS for multi-node interactive or batch jobs, the process for doing so would circumvent the security that having an encrypted file/folder would provide. i.e. The password or token use to decrypt the data must be stored in plain text.
How To
Encfs needs two directories, one for the encrypted data and the other to temporarily mount the virtual path to the decrypted data. These directories can be named whatever you’d like. For this example, we’ll call them enc and dec.
When referencing either directory for use with the encfs command you’ll need to use the full path to the directory. Meaning you cannot use relative paths like ./ or ../ nor the <dir_name> after you cd into the parent directory. But, you can use ~/<dir_name>, if it exists in your home directory.
Let’s say you have a project folder called “foo” and the path to that folder in /data/projects/foo. And let’s also assume you’ve created both the “/projects/foo/enc” and “/dev/shm/dec” directories. The encfs command would look like this:
Mount/Create an EncFS space:
encfs –paranoia /projects/foo/enc /dev/shm/dec
After running that command for the first time you’ll be prompted for password for the new encrypted space, which will then be mounted automatically for use. If you’ve already created the space, you’ll be prompted for the password to unlock it.
Once unlocked, you would use /data/projects/foo/decrypted like any other folder to save your work.
Be careful to store all cache and temporary files in /data/projects/foo, if you want/need to make sure no unencrypted remnants of your data are left in /tmp or on /scratch. Ephemeral files from software packages can contain some or all of the content you were working on.
Unmount an EncFS space:
encfs -u /dev/shm/dec
Or
fusermount -u /dev/shm/dec