Secure the root LUKS header and keyfile

[BennyLi]

Currently the LUKS header and keyfile to open the main drive (with the root partition) are stored inside the encrypted boot partition on the USB stick. But at runtime the boot partition is mounted to the system and therefor the header and keyfiles are no more protected. This should be changed.

Possible solutions (so far):

• Put the header and the keyfile into another another encrypted partition and only mount that on boot but not into the live system.
• Encrypt the header and kefile in place (if this is possible)