HowTo Encrypt Home Directory and Mount it on Login

Basically follow https://leighmcculloch.com/posts/ubuntu-encrypt-home-directory-with-gocryptfs/. But there are some extensions I added so that mounting also works with ssh.

sudo apt install libpam-mount gocryptfs
Uncomment user_allow_other in /etc/fuse.conf
Edit /etc/security/pam_mount.conf.xml and add

                <volume
                    user="some_username"
                    fstype="fuse"
                    options="nodev,nosuid,quiet,nonempty,allow_other"
                    path="/usr/bin/gocryptfs#/home/some_username.cipher"
                    mountpoint="/home/some_username"
                />

At the end of /etc/pam.d/common-auth check that there's

auth    optional        pam_mount.so

Backup the home directory by e.g.

    cd /home
    sudo tar cvf $USER.tar $USER

Create a directory to hold the encrypted files.

    sudo mkdir $USER.cipher
    sudo chown $USER:$USER $USER.cipher

Initialize the enrypted files.

    gocryptfs -init $USER.cipher

Clear the home directory.

    rm -fr /home/$USER/* /home/$USER/.* # Keep .ssh .bashrc and .profile

Add a file that will indicate if the encrypted file system isn’t mounted.

    touch /home/$USER/GOCRYPTFS_NOT_MOUNTED

Mount the encrypted home directory.

    gocryptfs -nonempty $USER.cipher $USER

Copy the home directory into the mounted encrypted home directory.

tar xvf $USER.tar --strip-components=1 -C $USER

Add a file that will indicate if the encrypted file system is mounted.

touch /home/$USER/GOCRYPTFS_MOUNTED

Add to .profile

sudo login -f $USER

This is necessary for ssh login with publickey because then a password is missing. And without the line there would also be no prompt for the gocryptfs password. So there was no automatic login and you had to gocryptfs -nonempty /home/$USER.cipher /home/$USER to mount.

Reboot the system, check that after login the GOCRYPTFS_MOUNTED file is in the home directory.
Then - and only then - you could delete the backup by rm /home/$USER.tar