Comment # 7 on bug 1072792 from Josef M�llers

I've discussed this with several security people and the summary is: it can't
be done. When you log in using key-based authentication, no secrets actually
pass from the client to the server so no information required to unlock the key
for the encrypted directory is available on the server side.
What would be required is to add a component to the PAM stack to ask for the
passphrase which, partialy if not entirely, defeats the purpose of key-based
authentication.

So I'm closing this bug as "INVALID" as there is no solution to this problem.