Here's some copypasta from the archwiki:
> Before starting, check the eCryptfs documentation. It is distributed with a very good and complete set of manual pages.
> eCryptfs has been included in Linux since version 2.6.19. Start by loading the ecryptfs module:
> # modprobe ecryptfs
> Tip: If you use linux-grsec, auto-loading of cryptographic modules may fail when executing the ecryptfs-mount-private wrapper (as of November 2014). As a work-around, load the mentioned module manually; for example modprobe md5 as root and configure the system to load it at next boot.
Not sure what this means but it's a bit spooky.
> Warning: Unfortunately the automatic unmounting is susceptible to break with systemd and bugs are filed against it.[1] [2] [3] [4] If you experience this problem, you can test it by commenting out -session optional pam_systemd.so in /etc/pam.d/system-login. However, this is no solution because commenting out will break other systemd functionalities.
> https://bugs.freedesktop.org/show_bug.cgi?id=72759
> https://nwrickert2.wordpress.com/2013/12/16/systemd-user-manager-ecryptfs-and-opensuse-13-1/
> https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/313812/comments/43
> https://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/2014-October/004088.html
Seems like automounting is dangerous on systemd.
One could either encrypt their /home/$USER dir, or some other dir or ~/.Private ON TOP OF AN ENCRYPTED SYSTEM. It may not be as secure as mounting an encrypted hardrive and unlocking it without an active internet connection, but you can have a dir encrypted even after decrypting your storage via dm-crypt and choose to have it decrypted manually or automatically. One needs to trust their USB or SATA ports isn't physically tampered with if one tries to decrypt an external storage connected to your system, one or more hardware variables are gone because ecryptfs works on top of an existing filesystem without the need of making a separate storage space to mount it on, but on the downside, ecryptfs doesn't use super secure encryption protocols and is buggy for systemd and maybe linux-grsec based kernels. I think it is a better alternative than say putting your stuff in a compresssed package with a password on it but that's just me.