One of the most commonly used tools for data at rest encryption is GPG, which allows a user to encrypt, decrypt, and digitally sign files using public and private keys1.
This will encrypt the <file> such that only the user associated with the --recipient email can access it. To decrypt:
gpg --decrypt <file>.gpg
Filesystem Encryption
LUKS2 (Linux Unified Key Setup) is the standard encryption tool, along with Argon2, which is the “lock mechanism” for LUKS2. LUKS2 commands are accessed via cryptsetup.
Example
This command will format and setup the /dev/sdX device with LUKS2
sudo cryptsetup luksFormat --type luks2 /dev/sdX
Using cryptsetup to encrypt a filesystem will automatically integrate with Argon2, which is embedded into the LUKS2 headers, rather than a separate config file.
Footnotes
This is also known as asymmetric key cryptography: it means that something can be encrypted with one key, and decrypted with another. ↩