If it's for single books, another option comes to my mind. You could implement another FUSE based layer filesystem that does encryption of data and on file access (e.g. first read) pop up a password interface.
That said, I'm using a FUSE interface to ZIP files on my K3. I never bothered to add in a user interface, though. I'm just mounting and unmounting with a launchpad keyboard shortcut. From a developer's standpoint, it is an esoteric solution: I used the Go language for that. In fact, I did not write a single bit of code, I just re-used an example which comes with go-fuse (
https://github.com/hanwen/go-fuse), "zipfs". It would not be hard to extend this to some point and implement encryption support (maybe even ZIP's AES encryption). I would also add an external interface to provide a password that is stored for a given amount of time. Using that interface, a GUI launcher based solution could be implemented to ask for a password and pass it to the filesystem daemon.
But don't be too optimistic - this is still hard developer work. I just wanted to offer an example for a possible solution. If I have some free time, I might open another thread and go into detail how I use that "zipfs" in my workflow on a K3.