Filesystem-level encryption, is a form of disk encryption where individual files or directories are encrypted by the file system, in contrast to full disk encryption where the entire partition or disk, where the file system resides, is encrypted.
The advantages of filesystem-level encryption include more flexible file-based key management and access control with public-key encryption and the fact that cryptographic keys are only kept in memory while a file using them is opened.
General-purpose filesystems with encryption
Unlike cryptographic filesystems and full disk encryption, generic filesystems with filesystem-level encryption do not typically encrypt filesystem metadata, such as the directory structure, file names, modification timestamps or sizes. This can be problematic if the content to be encrypted has to be undetectable or its existance unprovable.
Notable filesystems that support this kind of encryption include the Encrypting File System layer of NTFS.
Cryptographic filesystems
Cryptographic filesystems are filesystems that are specifically designed with encryption and security in mind. They usually encrypt all the data they contain – including metadata. Instead of implementing an on-disk format and their own block allocation, these filesystems are often layered on top of existing filesystems, for example, residing in a directory on a primary filesystem. Many such filesystems also offer advanced features, such as deniable encryption, cryptographically secure read-only file system permissions and different views of the directory structure depending on the key or user.
See also
 | This cryptography-related article is a stub. You can help Wikipedia by expanding it. |