I used to use the following setup gdrive --> cache --> crypt but decided to give vfs a try since cache is apparently being depreciated.
I noticed that the vfs cache stores the unencrypted data!
Is there any way to set it up so that the cached data are the encrypted files that are then unencrypted in the system's RAM?
Can I not just rclone mount gdrive: ~/local_drive_a --vfs-cache-mode full
to then just rclone mount crypt ~/local_drive_b
with crypt pointing to ~/local_drive_a ?
Well, the issue would be that the normally unencrypted files stored in the cache are easily accessible to anyone with physical access to the hard drive.
The split setup, as proposed above, makes it so that only the encrypted files are stored in the cache. At least that's how I understand it works. Correct me if I am wrong.
That's true for every file stored on a physical disk. You'd use disk encryption for that use case imo.
It would work like that, albeit no idea how performance would be.
In general, there are other tools for physical security if the disk being stolen is the use case you are going for. If someone has physical access, you need to encrypt the rclone.conf as well as that's another entry point. Logical access on the box means anyone with that access can see the decrypted files on the mount as well.