### /etc/crypttab
# <target name>	<source device>		<key file>	<options>
sda2_crypt UUID=00000000-0000-0000-0000-000000000000 /etc/root-keyfile.bin luks,discard,keyscript=/bin/cat

### /etc/fstab
UUID=00000000-0000-0000-0000-000000000000 /cleartext-boot ext4 defaults,relatime 0 0

### /cleartext-boot/grub/grub.cfg
cryptomount -u 00000000000000000000000000000000
if search --no-floppy --fs-uuid --set=root 00000000-0000-0000-0000-000000000000; then
    source "/boot/encrypted.cfg"
fi

### /boot/encrypted.cfg
set check_signatures=no
configfile /grub/grub.cfg

### /etc/bootkey.pub
create RSA keypair and export pubkey in here

### /cleartext-boot device
make sure it has label COREBOOT-GRUB

### /cleartext-boot/grub/grub.cfg.sig
### /boot/encrypted.cfg.sig
make sure you sign with /etc/bootkey.pub
make sure that /boot is not readable to anyone but root

### /etc/root-keyfile.bin
create it from good random number generator, then cryptsetup luksAddKey it to relevant devices.

### /etc/initramfs-tools/hooks/root-keyfile
#!/bin/sh

case $1 in
prereqs)
	exit 0
	;;
esac

. /usr/share/initramfs-tools/hook-functions

if [ -f /etc/root-keyfile.bin ]; then
    mkdir -p "$DESTDIR"/etc/
    cp -p /etc/root-keyfile.bin "$DESTDIR"/etc/
fi