On 10/21/2014 10:02 PM, Lennart Poettering wrote:
Maybe that's actually a strategy to adopt here: upload the encryption keys into the firmware as efi vars, and then pull them out on next boots or so (assuming that efi vars can be marked to survive soft reboots without making them fully persistent...)
Hmmm, surrendering your encryption keys to the only software part which you do not have control on?