Encryption Layers Age Encryption Age is a modern, simple file encryption tool. Key Location ~/.secrets/.age/ ├── key.txt # Primary Age identity └── recipients.txt # Public keys for encryption Usage # Encrypt a file age -r $(cat ~/.secrets/.age/recipients.txt) -o secret.age plaintext.txt # Decrypt a file age -d -i ~/.secrets/.age/key.txt -o plaintext.txt secret.age gocryptfs gocryptfs provides encrypted filesystem containers. Vaults Structure ~/atelier/_vaults/ ├── credentials/ # Service credentials ├── work-sensitive/ # Work-related secrets ├── network-configs/ # Router/firewall configs └── personal/ # Personal documents Mount Commands # Mount a vault gocryptfs ~/atelier/_vaults/credentials ~/mnt/credentials # Unmount fusermount -u ~/mnt/credentials LUKS2 Full-Disk Encryption LUKS provides full-disk encryption for USB backup drives. Drive Layout Seagate 1.8TB USB (x2 identical) ├── LUKS2 encrypted container │ └── BTRFS filesystem │ ├── @backups/ │ ├── @secrets/ │ └── @recovery/ LUKS Operations # Open LUKS container sudo cryptsetup luksOpen /dev/sdX1 backup-drive # Mount sudo mount /dev/mapper/backup-drive /mnt/backup # Unmount and close sudo umount /mnt/backup sudo cryptsetup luksClose backup-drive GPG (GNU Privacy Guard) GPG is used for gopass and git commit signing. Key Types Key Purpose Personal master key Code signing, encryption Subkeys Daily operations Related Pages System Architecture Tool Overview LUKS Scripts Architecture Security Model