I don't really care about that, since my threat model doesn't involve Hetzner looking through my photos and training an AI model on them. If/when I move this off to my own hardware, then I'll do full disk encryption, since my threat model may involve someone stealing my hardware.

Docker could be run on the VPS, and the storage leg could be encrypted.

I'm presuming some VPS providers allow converting your VPS disk image to something that supports encryption.

Is that something that docker can do?

I presume gocryptfs can be used to wrap an SMB mounted Hetzner storage box. Haven’t tried it myself though.

I would be careful storing any personal data on it unencrypted.

rclone.

Just use rclone if you need to turn object storage semantics usage into an encrypted mount.

It doesn't do well with non-object-storage access patterns but we're not putting an sqlite database on it here so that should be fine.

rclone has a `crypt` layer you can just paper over any of it's backends and still access through any of it's comfortable ways.

I'd personally likely bind mount the database folder over the rclone mount or the other way around, as needed to keep that database on a local filesystem.

In my experience mounting smb share inside docker containers has been very very unreliable...