diff --git a/machines/lappy/default.nix b/machines/lappy/default.nix
index 6fbb039cc..ff000cd8c 100644
--- a/machines/lappy/default.nix
+++ b/machines/lappy/default.nix
@@ -11,6 +11,8 @@
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
 
+  users.users.colin.initialPassword = "147147";
+
   # default config: https://man.archlinux.org/man/snapper-configs.5
   # defaults to something like:
   #   - hourly snapshots
diff --git a/modules/universal/env/default.nix b/modules/universal/env/default.nix
index 10593b2d0..0700b38fe 100644
--- a/modules/universal/env/default.nix
+++ b/modules/universal/env/default.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ pkgs, ... }:
 
 {
   imports = [
@@ -21,5 +21,16 @@
   };
   # enable zsh completions
   environment.pathsToLink = [ "/share/zsh" ];
+  environment.systemPackages = with pkgs; [
+    # required for pam_mount
+    gocryptfs
+  ];
+
+  security.pam.mount.enable = true;
+  # security.pam.mount.debugLevel = 1;
+  # security.pam.enableSSHAgentAuth = true; # ??
+  # needed for `allow_other` in e.g. gocryptfs mounts
+  # or i guess going through mount.fuse sets suid so that's not necessary?
+  # programs.fuse.userAllowOther = true;
 }
 
diff --git a/modules/universal/env/home-packages.nix b/modules/universal/env/home-packages.nix
index cfc0b3c3f..38d09edc2 100644
--- a/modules/universal/env/home-packages.nix
+++ b/modules/universal/env/home-packages.nix
@@ -9,6 +9,7 @@ let
     cdrtools
     duplicity
     gnupg
+    gocryptfs
     ifuse
     ipfs
     libimobiledevice
diff --git a/modules/universal/users.nix b/modules/universal/users.nix
index a3f280a15..5e0ad8eda 100644
--- a/modules/universal/users.nix
+++ b/modules/universal/users.nix
@@ -54,6 +54,17 @@ in
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX colin@servo"
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU colin@moby"
       ];
+
+      pamMount = {
+        # mount encrypted stuff at login
+        # requires that login password == fs encryption password
+        # fstype = "fuse";
+        # path = "${pkgs.gocryptfs}/bin/gocryptfs#/nix/persist/home/colin/private";
+        fstype = "fuse.gocryptfs";
+        path = "/nix/persist/home/colin/private";
+        mountpoint = "/home/colin/private";
+        options="nodev,nosuid,quiet,allow_other";
+      };
     };
 
     sane.impermanence.service-dirs = mkIf cfg.guest.enable [
diff --git a/pkgs/gocryptfs/default.nix b/pkgs/gocryptfs/default.nix
new file mode 100644
index 000000000..823b219bb
--- /dev/null
+++ b/pkgs/gocryptfs/default.nix
@@ -0,0 +1,15 @@
+{ pkgs, lib, ... }:
+
+(pkgs.gocryptfs.overrideAttrs (upstream: {
+  # XXX `su colin` hangs when pam_mount tries to mount a gocryptfs system
+  # unless `logger` (util-linux) is accessible from gocryptfs.
+  # this is surprising: the code LOOKS like it's meant to handle logging failures.
+  # propagating util-linux through either `environment.systemPackages` or `security.pam.mount.additionalSearchPaths` DOES NOT WORK.
+  #
+  # TODO: see about upstreaming this
+  postInstall = ''
+    wrapProgram $out/bin/gocryptfs \
+      --suffix PATH : ${lib.makeBinPath [ pkgs.fuse pkgs.util-linux ]}
+    ln -s $out/bin/gocryptfs $out/bin/mount.fuse.gocryptfs
+  '';
+}))
diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix
index aa0c426a3..7468b9a39 100644
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -35,6 +35,8 @@
   # patch rpi uboot with something that fixes USB HDD boot
   ubootRaspberryPi4_64bit = prev.callPackage ./ubootRaspberryPi4_64bit { pkgs = prev; };
 
+  gocryptfs = prev.callPackage ./gocryptfs { pkgs = prev; };
+
   #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
   kaiteki = prev.callPackage ./kaiteki { };
   # kaiteki = prev.kaiteki;
diff --git a/pkgs/sane-scripts/default.nix b/pkgs/sane-scripts/default.nix
index 819686895..a1a5f35ec 100644
--- a/pkgs/sane-scripts/default.nix
+++ b/pkgs/sane-scripts/default.nix
@@ -23,6 +23,7 @@ resholve.mkDerivation {
         file
         findutils
         gnugrep
+        gocryptfs
         ifuse
         inotify-tools
         ncurses
@@ -54,14 +55,15 @@ resholve.mkDerivation {
       };
 
       # list of programs which *can* or *cannot* exec their arguments
-      execer = [
-        "cannot:${pkgs.ifuse}/bin/ifuse"
-        "cannot:${pkgs.oath-toolkit}/bin/oathtool"
-        "cannot:${pkgs.openssh}/bin/ssh-keygen"
-        "cannot:${pkgs.rmlint}/bin/rmlint"
-        "cannot:${pkgs.rsync}/bin/rsync"
-        "cannot:${pkgs.ssh-to-age}/bin/ssh-to-age"
-        "cannot:${pkgs.sops}/bin/sops"
+      execer = with pkgs; [
+        "cannot:${gocryptfs}/bin/gocryptfs"
+        "cannot:${ifuse}/bin/ifuse"
+        "cannot:${oath-toolkit}/bin/oathtool"
+        "cannot:${openssh}/bin/ssh-keygen"
+        "cannot:${rmlint}/bin/rmlint"
+        "cannot:${rsync}/bin/rsync"
+        "cannot:${sops}/bin/sops"
+        "cannot:${ssh-to-age}/bin/ssh-to-age"
       ];
     };
   };
diff --git a/pkgs/sane-scripts/src/sane-private-init b/pkgs/sane-scripts/src/sane-private-init
new file mode 100755
index 000000000..54e790dc8
--- /dev/null
+++ b/pkgs/sane-scripts/src/sane-private-init
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -ex
+
+# configure persistent, encrypted storage that is auto-mounted on login.
+# this is a one-time setup and user should log out/back in after running it.
+
+p=/nix/persist/home/colin/private
+mkdir -p $p
+gocryptfs -init $p