Plash is a sandbox for running GNU/Linux programs with minimum privileges. It is suitable for running both command line and GUI programs. It can dynamically grant Gtk-based GUI applications access rights to individual files that you want to open or edit. This happens transparently through the Open/Save file chooser dialog box, by replacing GtkFileChooserDialog. Plash virtualizes the file namespace and provides per-process/per-sandbox namespaces. It can grant processes read-only or read-write access to specific files and directories, mapped at any point in the filesystem namespace. It does not require modifications to the Linux kernel.
crypt++.el is a package of Lisp functions that recognize automatically encrypted and encoded (i.e., compressed) files when they are first visited or written. The BUFFER corresponding to the file is decoded and/or decrypted before it is presented to the user. The file itself is unchanged on the disk. When the buffer is subsequently saved to disk, a hook function re-encodes the buffer before the actual disk write takes place.