Sorry for the bump -- just seeking any perspectives or help people might have on this subject. Seems pretty important, so surely I'm not the only one struggling with these questions. Thanks!

Plasma's built-in Vaults
iirc they are unlocked at login.
https://www.zdnet.com/article/how-to...th-kde-vaults/

That will be a given, though you can of course back up the encrypted files/directories as part of the backup regimen.

If you want to decrypt specific folders at login, why not just encrypt the whole user $HOME, or the entire install?

There are service menus for Dolphin that can be installed that include encryption.
But tbh, if it is decrypted at login, what is the point of having a user directory encrypted, instead of the whole shebang?
If these files are copied or backed up somewhere unencrypted, what is the point?

Thanks! Didn't know about those but they are neat; unfortunately they are not decrypted on login and require password entry to unlock. It does appear that you can copy the encrypted directory to do a backup and can restore it, but the restoration process looks a little rough [see edit below] (replacing the directory in place went smoothly -- just had to remove the "integritydata" file, but recreating from scratch looks more involved.) Maybe there's not going to be an easy way around that, but these systems (CryFS in this case) seem to always have relatively complicated dot files here and there that make it a bit technical to do a restoration. TLDR: looks great overall but the login issue remains.

EDIT: just went through the restoration-to-new-location and it wasn't bad at all... This post details the procedure.

Sorry, we might have miscommunicated here: with ecryptfs I was able to back up files/folders when they were encrypted by just copying the encrypted directory. I could then copy it back to some other location and decrypt as needed to extract files from the backup. Not possible with fscrypt, IIUC (documentation says you can't do it, at least that was my interpretation; I believe because of filesystem-level encryption used).

Yeah, that would have been better. The reasons were:

1) not wanting to deal with encryption when backing up non-essential stuff, e.g. doing a partition backup of /home leaves most of the files in the backup more easily accessible (for the non-tech user I'm supporting). I've had to recover things from encrypted dirs before and it was a pain, especially when 99% of the stuff in /home didn't really need it. Having to jump through all the hoops just to e.g. recover a config file for an app that got corrupted is tiresome.
2) believing (incorrectly) that it would be simple to set up an encrypted directory that could be easily backed up in encrypted form that would open upon login.
3) I know that performance isn't a big concern with this, but given that I believed (2) it seemed nice to avoid full-partition encryption as a small win.

They wouldn't be backed up unencrypted, just in encrypted form.

Just following up in case anyone else finds this: best way to back up vaults seems to be to copy the ~/.local/share/plasma-vault/MyVault.enc directory (or wherever you specified it) to your backups (presumably it's smart to lock it first if it is not already), then when you want to restore files:

- make a new vault that will contain the vault contents
- cryfs /backup/location/MyVault.enc /temporary/mount/location/for/files/myvault_files/
- copy decrypted files from the mount location into the new vault location
- unmount /temporary/mount/location/for/files/myvault_files/

...apparently in KDE6 you will be able to do:

...which should be a lot easier? Relevant link:

https://bugs.kde.org/show_bug.cgi?id=386200#c38