I built a small set of scripts to decrypt when the initrd starts and can load from a file in the initrd (from separate volume), EFI, or various combinations of passphrase in GRUB. The main intent isn’t to keep out somebody with physical access to the machine and sufficient time but rather makes it a lot easier to make the data unrecoverable when the drive is disposed of.
I built a small set of scripts to decrypt when the initrd starts and can load from a file in the initrd (from separate volume), EFI, or various combinations of passphrase in GRUB. The main intent isn’t to keep out somebody with physical access to the machine and sufficient time but rather makes it a lot easier to make the data unrecoverable when the drive is disposed of.