Comment # 7 on bug 1137056 from Jiri Srain

There is another option: Have /boot outside the encrypted volume as a separate
partition. Then you need to enter the password only once. However, if you want
to use snapper, then you kernel/initrd cannot be snapshotted.

What I wanted to point out: It is not possible to put the key there
unconditionally even if we accept the risk.


In any case: The installer should not implement this request before it gets
blessing from the security team. If the design is evaluated as not bringing any
additional not acceptable risk, then IMO any approach that improves the
usability will be welcome (by myself too).

Security team is in NEEDINFO, let them evaluate this idea.