diff --git a/site-cookbooks/kosmos-postgresql/files/encfs.service b/site-cookbooks/kosmos-postgresql/files/encfs.service
new file mode 100644
index 0000000..4fdef2a
--- /dev/null
+++ b/site-cookbooks/kosmos-postgresql/files/encfs.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=EncFS for PostgreSQL data dir
+Before=postgresql@12-main.service
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/bin/mount_pg_encfs
+ExecStop=/bin/umount /var/lib/postgresql
+[Install]
+WantedBy=multi-user.target
diff --git a/site-cookbooks/kosmos-postgresql/recipes/replica.rb b/site-cookbooks/kosmos-postgresql/recipes/replica.rb
index 6bbcb75..00345f2 100644
--- a/site-cookbooks/kosmos-postgresql/recipes/replica.rb
+++ b/site-cookbooks/kosmos-postgresql/recipes/replica.rb
@@ -29,6 +29,7 @@ postgresql_service = "postgresql@#{postgresql_version}-main"
 
 postgresql_custom_server postgresql_version do
   role "replica"
+  encfs true
 end
 
 service postgresql_service do
diff --git a/site-cookbooks/kosmos-postgresql/resources/server.rb b/site-cookbooks/kosmos-postgresql/resources/server.rb
index b6919e8..1aa074c 100644
--- a/site-cookbooks/kosmos-postgresql/resources/server.rb
+++ b/site-cookbooks/kosmos-postgresql/resources/server.rb
@@ -2,6 +2,7 @@ resource_name :postgresql_custom_server
 
 property :postgresql_version, String, required: true, name_property: true
 property :role, String, required: true # Can be primary or replica
+property :encfs, [TrueClass, FalseClass], default: false
 
 action :create do
   postgresql_version = new_resource.postgresql_version
@@ -43,6 +44,40 @@ action :create do
     password postgresql_data_bag_item['replication_password']
   end
 
+  if new_resource.encfs
+    # FIXME: encfs always runs a configuration assistant when creating a new
+    # volume, so this needs to be done manually:
+    #    systemctl stop postgresql@12-main
+    #    mv /var/lib/postgresql /var/lib/postgresql.old
+    #    encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public
+    # Pick p (paranoia mode) and enter the password from the data bag twice
+    #    mv /var/lib/postgresql/* /var/lib/postgresql/
+    #    systemctl start postgresql@12-main
+
+    package "encfs"
+
+    template "/usr/local/bin/mount_pg_encfs" do
+      source "mount_pg_encfs.erb"
+      mode "0700"
+      variables password: postgresql_data_bag_item["encfs_password"]
+    end
+
+    execute "systemctl daemon-reload" do
+      command "systemctl daemon-reload"
+      action :nothing
+    end
+
+    # The service will automatically mount the encrypted volume on startup
+    cookbook_file "/lib/systemd/system/encfs_postgresql.service" do
+      source "encfs.service"
+      notifies :run, "execute[systemctl daemon-reload]", :delayed
+    end
+
+    service "encfs_postgresql" do
+      action [:enable]
+    end
+  end
+
   shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # > 1GB RAM
                      "128MB"
                    else # >= 1GB RAM, use 25% of total RAM
diff --git a/site-cookbooks/kosmos-postgresql/templates/mount_pg_encfs.erb b/site-cookbooks/kosmos-postgresql/templates/mount_pg_encfs.erb
new file mode 100644
index 0000000..e2ce74e
--- /dev/null
+++ b/site-cookbooks/kosmos-postgresql/templates/mount_pg_encfs.erb
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/bin/echo "<%= @password %>" | encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public -S