I just get out of an excellence conference on [eCryptFS]. For the first time, I see an encrypt filesystem that address, or at least seems to be concerned, with most of my issues for this kind of system. First of all, the policy is set seperatily through an external configuration files (the exact language still need to be address however). It support different encryption scheme and have a [OpenPGP]-inspired format on disk, with necessary code to allow cyphertext-passthrough transfert, even to remote site. The format is a kind of stream of OpenGPG block, with content encrypted by block instead as a whole, but it should be easy to patch [GnuPG] so that it’s able to decrypt such format. The reason for such a format is to allow fast dynamic verification, using convoluted hash of each block, allowing true random access to the file. It also has file-granularity encryption (contrarely to most encrypted filesystem) and used session key, allowing multiple authorative keys to each file (just like any gpg encrypted file). Briefly, it’s a strong competitor to [Microsoft EFS] on MS Windows.
[Microsoft EFS]: http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prnb_efs_qutx.asp