cryptHomeLuks fails to mount on ssh login

[league]

Issue description

I tried to use the undocumented setting users.extraUsers.NAME.cryptHomeLuks to have a LUKS-encrypted volume mounted to ~NAME on login via pam_mount (using the login passphrase). It works when I log in on the console or use the login command from the root account. However, when I log in to the machine via ssh the login succeeds but the user's home volume is not mounted. (This general technique works for me on ArchLinux, including during ssh login.)

Also, if cryptHomeLuks generally works for people, I'd like to see it added to the official manual, as an alternative to ecryptFs

Steps to reproduce

Not sure I need to be this detailed, but here's roughly what I did to set up LUKS volume:

lvcreate -L 1.6g -n NAME vg0
cryptsetup luksFormat /dev/vg0/NAME
cryptsetup open /dev/vg0/NAME zz
mkfs.ext4 /dev/mapper/zz
mount /dev/mapper/zz /home/NAME
touch /home/NAME/THIS_IS_CRYPTO
chown -R NAME:users /home/NAME
umount /home/NAME
cryptsetup close /dev/mapper/zz

Edit /etc/nixos/configuration.nix, adding:

security.pam.mount.enable = true;
users.extraUsers.NAME.cryptHomeLuks = "/dev/vg0/NAME";

Then: nixos-rebuild switch && reboot. Then login from a remote machine via ssh.

elsewhere% ssh NAME@NIXHOST
NIXHOST% ls -l THIS_IS_CRYPTO
ls: cannot access 'THIS_IS_CRYPTO': No such file or directory

To compare, from root on NIXHOST:

root@NIXHOST# login NAME
NAME@NIXHOST% ls -l THIS_IS_CRYPTO
-rw-r--r-- 1 NAME users     0 Dec 20 14:49 THIS_IS_CRYPTO

I did the non-working ssh login first because my experience with this technique on Arch is that the user's volume is not always cleanly unmounted on logout. So an ssh after a console login might still see the mounted volume.

Technical details

• System: 16.09.1272.81428dd (Flounder)
• Nix version: nix-env (Nix) 1.11.4
• Nixpkgs version: 16.09.1272.81428dd

[league]

Closing this just in the interest of tidiness. I'm sure the options mentioned have evolved since this was reported, but I'm not using them at the moment.