Since tar does not support any encryption capabilities I was looking for a solution to encrypt and decrypt files directly within dom0. I found ccrypt as the most simple and secure solution. But this would also require a dom0 installation…
Option B, make a no network minimal template based appVM and install ccrypt and pilot all via dom0: sending files to appVM → make a qvm-run --pass-io … to do the encryption remotely and pass it back to dom0 but this also sounds like a complex workaround.
It will be only used in dom0. I am coding an automated minimal Debian script and for some appVMs I would also like to automatically push some secrets (bookmarks, keys, vpn config files etc.) This will will be stored in a separate folder (in dom0). I would like to backup this folder / move it to a 2nd Qubes OS installation therefore it should be encrypted when leaving dom0.