I need to encrypt some large files at rest and then decrypt them immediately prior to processing.

App and files are on a Linux system (CentOS). App is in C. Machine is controlled by a third party.

What encryption libraries would you recommend? And, is there any clever way of managing the decryption key beyond compiling it in the code and doing some basic obfuscation?

Are they fancy obfuscation libraries out there, for example?

And, the reason I'm not going to SO (well, one reason) is that I don't want to have 50 answers that tell me that's it's impossible to 100% protect data on a machine you don't control. This I understand---just looking for "best effort" solution.

Do you want obfuscation or security?

For obfuscation you could UUENCODE it and then gzip it. Or some combination.

For security you could transfer it over ssh or something like that.

I may not be understanding what you need.

If you don't disclose the code, you don't need much obfuscation. Just don't store the key in one piece and a bit XOR-ing should be enough to hide it for most situations. To make it a bit more secure you could stored at another location with every build.

Would it be possible to add extra hardware? Then you could use an HSM (Hardware Security Module), there are some with USB connector, which just have to be plugged into the machine. Then your key would be really secure, but you would have to implement the access to that device and you will have to take care of secure insertion of the keys into the HSM.

Openssl or others would be a good start if you want to be secure.

and for obfusication use the highest optimisation (i think it was -O2 or like).

I don't need to secure any comms. The files and the app they uses them are co-located on the same disk. What I need to to have those files encrypted on the disk and decrypted just for the time they are processed and no more.

use aes256

edit:
for storing key use scrypt

you can read sources of cryptomator how they did it (it’s in java)

@platypus My personal favourite: Use NaCl / libsodium. An easy to use, failsafe library for many languages which follows proper cryptographic technologies.
You can hardly fail using it.

Alternatively: Put the files onto an encrypted filesystem (you can run some of them over remotely mounted storages, too). Unfortunately you will have to unlock (=enter the password at some time) them at some point. Best thing: Your application will treat the encrypted storage as a normal filesystem, so no change to existing applications are required.
gocryptfs is a good example of one of them.

Please do not do one thing: Use cryptographic primitives directly. You will ultimately fail at some time - while it might turn out well, it's easy to completely comprise security.
The both above mentioned pieces of software had software audits behind and at least NaCl is created by a well known cryptographer (Daniel J. Bernstein).

The best practice (e.g. for encryption at rest) for key management is actually is to enter the passphrase during system start and cache it in memory. You can also automate this process from a "trusted" machine.
When the machine is turned off, neither the the hosted (or a normal thief) can read data from the disk.

@sbiewald libsodium looks pretty cool. I'm going to dig into that a little more. Thanks.