Since we're going for systemd compatibility, we're going to need to change the key syntax. It seems like there are two supported syntaxes which are handled a little bit differently by the encrypt hook and initscripts. 1) <dev>:<fstype>:<file> I want to support this by adding a keydev= option. What remains is what to do when a key is not available and there is no keydev=. For a first go I think such a setup doesn't need to be supported, but eventually deriving a default will be good. The primary target here is to support having a keyfile for an encrypted /usr stored on root. This is a little tricky in the initcpio because it would be pretty undesirable from my perspective to tell the user such keys need to be /new_root/... One way to do this would be keydev=/dev/mapper/root, but this might mean mounting root to some temporary location, unmounting it, and then having initcpio pick up as normal after the hooks. Among other things, this would mount root before fsck. 2) <dev>:<offset>:<length> I want to drop support for this. The length field is supported by cryptsetup's --keyfile-size option. I don't see <offset> being widely used as its not even documented. Coupled with systemd not supporting anything like this, I'd like to cowardly refuse to implement it. I looked into adding a --keyfile-offset option to cryptsetup directly. It doesn't look too bad but does require and API change to libcryptsetup. We'll not worry about this now. So this means no more generating keyfiles with dd and piping them into cryptsetup, they can all just be passed via the --key-file=<real_filename> option. 3) -, none, and ASK will all mean interactive. 4) SWAP will be held onto for compatibility and will imply /dev/urandom. (This is probably pointless though because the options field won't be compatible and crypttab will need editing anyway) 5) *. We're dropping plaintext password support. Anything other than /*,-,none,ASK,SWAP will either be an error, or fall back to interactive.