SSH into Fscrypt encrypted $HOME using keys (... and password)

The problem

You have set up Fscrypt encrypted $HOME and you have set up PAM to decrypt your $HOME with your user login password. Now you want to SSH into your user with SSH keys but the problem is that .ssh/authorized_keys sitting in your $HOME is encrypted too and the sshd daemon can't access it to verify your identity. Password authentication would work though with PAM but you don't want that because of prevalence of brute-force attacks. So what do we do?

Solution

The solution is to put your public keys outside your $HOME with restrictive permissions and set up sshd to require both key and password authorisation (password auth does the decryption with PAM).

First, as root we create some folder outside of $HOME to hold our public keys for each $USER. I went for /ssh/. Set permissions for that folder to 500 with chmod and make sure it is owned by root.

Now, create a file inside that folder named with your username. My username is ugjka so it would be /ssh/ugjka and then put your public key inside that file like you would with .ssh/authorized_keys. Make sure the owner is root, and permissions are 400

Now we need to configure the sshd daemon to search for our public keys inside /ssh/ instead of $HOME. To do that we edit /etc/ssh/sshd_config and add the following changes

AuthenticationMethods publickey,password
AuthorizedKeysCommand /usr/bin/cat /ssh/%u
AuthorizedKeysCommandUser root

Also make sure PasswordAuthentication and PubkeyAuthentication is set to Yes

Restart the sshd daemon and you are set :)

So now when the user ugjka tries to login, the AuthorizedKeysCommand directive will call cat /ssh/ugjka (because %u expands to the username) and will return the public key inside that file to the sshd daemon and authorisation will proceed. Then, next, according to the AuthenticationMethods directive, the password authentication will be invoked and, if PAM is configured correctly, it will decrypt your $HOME.