Symlink two folders, one copy encrypted, the other not?
 

I wondered if anyone knows of a way to hijack the symlink mechanism such that it runs any changes through a cipher, resulting in one folder being unencrypted, the other encrypted.

Or, just a way to achieve the same.

I'd like to symlink my Zim notebook folder inside my Dropbox folder with:

But I'd rather not give Dropbox a plain text copy of my notes.

I appreciate there are likely options that involve scheduling a job, I'm curious if anyone who reads this is aware of any means to achieve the ends I'm trying to here.

Thanks for reading :)

...I was searching with the keyword symlink, I realized I needed to generalize my query to being about normal folders. Since adjusting my keywords, it seems there are some options to explore. I've tried Cryptomater, but I get "Mount Failed", so will try BoxCryptor Classic (https://www.boxcryptor.com/en/download/)

I get the impression that BoxCryptor may aswell not be performing the encryption client-side; they keep a copy of the keys on a centralized server, from what I can tell (so, I'm just introducing an additional party into the mix, not very helpful!).

Anyone got any better ideas? I read about EncFS, but it's not secure in this scenario (as detailed on Wikipedia).

They claim that the keys are encrypted by your password, so it should be safe if you choose a sufficiently large and random password.

https://www.boxcryptor.com/en/technical-overview
Perhaps you can use an encrypted loopback device? Then you would put the image file of your encrypted file system into the dropbox folder.

Either I am confused or you are. With a symlink (or a hard link, for that matter) there is only one copy of the file stored. It can't be both encrypted and unencrypted. A stacked filesystem like eCryptfs allows you to have an unencrypted view of data that is stored encrypted on the disk. How is that different from what you are asking for?

"Bzzzzt!!! Nope!!!! (Sorry...)

Let's stop to consider exactly what these two types of "links" actually are. First, the preliminaries:

• In the Linux system, the physical representation of "a file" is called an inode ... for purely-historical reasons now lost in time.
• A "directory" is actually a file(!) containing file-names and their corresponding inode numbers.

So... having said all that ...

1. A "hard link" occurs when there exist (somewhere ... anywhere ...) two-or-more actual directory entries which refer to the same inode number.
2. A "soft link" is simply a file(!) ... albeit a specially-designated kind of file ... which contains: "a file name."

So far as the file-system is concerned, a hard link is indistinguishable from any other directory entry (although, in fact, the file-system does 'know better' ...). "It contains an inode-number, and that's that."

Whereas a soft link simply leads to "a file name," which then must be separately resolved. (And which may either succeed or fail. You won't know until you try.)

Nowhere in all of this will you find "two separate pathways to the underlying file-system, 'one encrypted and the other not.'" One way or the other, every path leads (or, fails to lead ...) to: "one particular inode."

Still, I would rather not trust a third party provider to be competent enough 24/7 to keep their word regarding "safety" - it's a massive thing to try and offer a customer, as endless companies have discovered in recent years when they've been hacked. It's not a trivial matter for any online entity to "keep their word" on this - there are many who see any centralized repository of private information as having a target painted on its back, and all year round these individuals probe for weaknesses, and if they've got targets in mind, perhaps just keep an ear out for new security problems, ready to spring into action as soon as they hear of something they can maybe use to get a foothold somewhere.

I hadn't thought of that :) thank you very much, that sounds like it just might work!

EDIT: I don't think it quite will - I'm very much looking for a transparent, set it and forget it option.
All I want to do is backup some files, and keep the key locally.

I think a sensible solution might a scheduled task - I think it is that I am trying to set up something that "syncs on change" that is making this more difficult than it need be.

If I understand the question right, it's possible to do what you want with ecryptfs.

If you use the option plaintext passthrough, anything created/copied in folder1 will appear normal in both folder1 and folder2. Anything created/copied into folder2 will be encrypted.

Is the dropbox folder a FUSE filesystem? I believe is it also possible to stack FUSE filesystems.