Create restricted user on Linux, home directory on encrypted partition

Premise ∆

Create a user that has the sole task to run some daemon that also needs to store files on disk. Starting and stopping daemon, as well as accessing these files, needs to be possible via ssh. Otherwise it should be locked down as far as possible.

Let's call the user sandy from now on.

There already is an encrypted device that should serve as this user's home.

The following takes place on a Debian server and an Archlinux desktop.

Workflow ∆

0. Create the user: adduser sandy and immediately move all (hidden) files from its HOME: sudo mv /home/sandy/.* .. (assuming /home does not contain any files)
1. Unlock & mount the device to /home/sandy: sudo cryptsetup luksOpen /dev/sdX sandy; sudo mount /dev/mapper/sandy /home/sandy and move those hidden files back: sudo mv /home/.* /home/sandy/
2. Fix permissions and ownership of all files; I recommend removing all permissions from both group and others: sudo -iu sandy; sudo chown -R sandy:sandy .; chmod -R go= .
3. Edit ~/.profile (or ~/.bash_pofile) to set an equally restrictive umask: umask 0077