Goodbye keyboards and monitors!
We encrypt a user home directory with eCryptfs. The consequence is that the contents of this directory are only accessible if at least one of the following is true:
* or has processes surviving logout (for instance lingering services).
This may increase privacy, depending on how the system is used.
If the user home is not encrypted, it would suffice to be root (without the user necessarily being logged in). Note that being root on another system and mounting the partition hosting the user’s home suffices.
Put that second drive to use!
To make it even harder for predatory institutions to find your keys.
Use autossh and a systemd service…
LUKS partitions cannot be recovered once the header is lost.
No need to enable full login shell if the only intended usage is proxying.
No need to enable full login shell if the only intended usage is tunneling.