grub unlock initramfs with a user password from the authorized user list (pam integration)
initramfs unlocks system volume
then you log in again? no that’d be lame eh double auth might not be that bad
unlocked-by=user_id kernel param instructs PAM to authenticate the specified user so they don’t have to type their password again
except, how does the system get the password to decrypt the user volume?
unlock prompt only happens on boot so maybe we don’t power down very often? readily suspend to RAM and disk to avoid power cycling.
each application lives in an encrypted volume. pass keys are stored in user volumes.