Unfortunately 2 is not always set. Before crypto::DecryptVaultKeyset being called the serialized is set to low entropy credential, but after decryption, the output from vault_keyset->IsLECredential() is still false. This happens at PIN login (in Mount::DecryptVaultKeyset).

That's because serialized inside the vault keyset is set only in Load function. And it's not loaded in that flow. The vault keyset is created and filled with data, while serialized_ is unaffected.

I don't know what would be a good solution to this. We have this data in serialized (the data from disk) when we do the decryption and have it in the vault keyset (in memory) when we need to do encryption.

Re comment 1: Just to note, I'm suspecting that my refactoring CL http://crrev.com/c/1098255 (which was originally aimed at bug 832395) could fix this issue, by making Mount::DecryptVaultKeyset() reuse HomeDirs::GetValidKeyset() and transitively VaultKeyset::Load()+VaultKeyset::Decrypt() instead of its own logic of loading keysets.
Admittedly, my CL turned out to be quite non-trivial and got stuck in reviewing, but if it addresses the problem discovered above then maybe we should attempt at landing it?

Re #1: in the current codebase, do we rely somewhere on checking key_data.policy.low_entropy_credential through vault_keyset->IsLECredential() after Mount::DecryptVaultKeyset()? Inside Mount::DecryptVaultKeyset we seem to always check for LE_CREDENTIAL in flags, which is fine. 
Just trying to understand if we need an urgent fix or can wait for the refactoring.

Maksim - looks like your change landed in the end, any updates to this bug? thanks!