I want to SSH into an Ubuntu box with an encrypted home directory, and I prefer using publickey authentication.
Ubuntu allows you to encrypt your own home directory. If you insist, as I do, that you use publickey authentication for your SSH authentication (which is nearly two-factor authentication as long as you protect your private ID key with a passphrase), this presents a problem: to authenticate, you need your ~/.ssh/authorized_keys file accessible, but when you are not logged in, it is inaccessible.
The definitive answer https://askubuntu.com/a/116198 seems straightforward: create a ~/.ssh/authorized_keys file that will be visible before your directory is mounted. The trouble is that I cannot figure out how to do that.
As long as you have sudo, you can bypass this issue by adding this line to /etc/ssh/sshd_config
AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
and then executing service ssh restart.
Next, put the contents of what you would ordinarily put into ~/.ssh/authorized_keys into /etc/ssh/authorized_keys.d/%u. For instance, my username is art so I put my authorized keys into /etc/ssh/authorized_keys.d/art, then I
chown art:art /etc/ssh/authorized_keys.d/art
chmod 644 /etc/ssh/authorized_keys.d/art