I would like to run Paperless in my homeserver. While this server is not running sensitive data, this would change once paperless gets to manage all my invoices, bank statements, health docs and so on. So while running my Proxmox VMs and LXCs unencrypted, in this case I’d like to encrypt paperless-ngx data so that if someone steals the machine, manual decryption would be necessary. Does anyone have an idea how to achieve that?
Full disk encryption of the underlying disk (cryptsetup/LUKS)
Put docker to ZFS ( you should do it anyway regardless of encryption) and use ZFS native encryption. Benefits over other filesytems that you can load/unload decryption keys to sensitive data only when need to access it. And you can backup it in encrypted form, so you backup software will never see plain text. You can do similar stuff with VeraCrypt or other encrypted volumes and bind mount.