I'll add one more thing re: use of /boot. We could also clean up
the crypto bootstrapping to just use the /boot/rescue root instead of
bootstrap image. That is, an unencrypted /boot (doesn't need to be
encrypted anyway) and an encrypted normal root could be driven entirely
from the /boot/rescue environment.
(If I understand the current crypto bootstrapping correctly).
-Matt
