Comment 2 for bug 1734290

You can put the call to 'pam_ecryptfs.so unwrap' before pam_systemd.so in /etc/pam.d/common-session as I mentioned above, but because this is a managed file, you will get a reminder that you modified it every time a package installation makes changes to /etc/pam.d. So a better fix is this:

(as root) in /usr/share/pam-configs/ecryptfs-utils , change "Priority: 0" to "Priority: 150"
then (still as root) run "pam-auth-update --force"

This will update the contents of /etc/pam.d LOSING ANY LOCAL CHANGES YOU MADE, and placing ecryptfs before other services.
The priority change will remain in effect until the next ecryptfs-utils update, unless the developers make the change in the package. But ecrypfs-utils looks like abandonware (last release was in July 2016 despite many bug reports) so that may be a long time coming.

Better alternative to ecryptfs is either to use a luks-encrypted volume/file automounted via libpam-mount, or, once the new pam_e4crypt module is packaged for Debian/Ubuntu, use the new ext4 directory encryption facility.