Arch Linux

Proposal/Rationale:

It is possible, though not very well documented, in grub 2.00 (photo of what I'm talking about attached) to have the /boot filesystem inside a LUKS container, and grub is capable of decrypting the master key, and unlocking the container to load the grub configuration, kernel, initramfs and so on.

This then makes for, in my opinion, a very sane opportunity to use the initramfs as a keyfile storage location, which solves the problem of not having to type the same passphrase twice on boot (currently there appears to be no magic that allows grub to pass the master key to the kernel), without having to resort to silliness like putting the keyfile on some unencrypted removable storage.

The greatest benefit, however, is that using this method, it is possible to then, in a way that doesn't potentially jeopardize the secrecy of the keyfile, kexec a machine without requiring human intervention in early-boot.

Implementation:

It seems that the current encrypt hook seems to make the assumption that all keyfiles can only be located on some sort of block device, rather than on the initramfs. So I made a quick hack (the primary goal being to modify the current hook as little as possible) that allows one to specify the location of the keyfile on initramfs.

The current patch is sub-optimal/ugly, however, because the kernel line ends up looking like "cryptkey=dontcare:/path/to/key:dontcare" or even "cryptkey=dontcare:/path/to/key". I am eagerly interested to hear your opinions on how to possibly improve the cryptkey parameters.