Index: generic/initrd.scripts
===================================================================
--- generic/initrd.scripts	(revision 667)
+++ generic/initrd.scripts	(working copy)
@@ -116,7 +116,7 @@
 #				else
 #					mount -r -t auto ${x} ${mntdir} &>/dev/null
 #				fi
-				mount -r -t ${CDROOT_TYPE} ${x} ${mntdir} >/dev/null 2>&1
+				mount -r -t ${CDROOT_TYPE} ${x} ${mntdir} >/dev/null 2>&1 || mount -r -t auto ${x} ${mntdir} >/dev/null 2>&1
 				if [ "$?" = '0' ]
 				then
 					# Check for the media
@@ -662,6 +662,18 @@
 	fi
 }
 
+
+# Overwrite and delete file
+wipeFile() {
+	if [ -f "$1" ] ; then
+		#size=`stat -c %s "$1"`
+		size=4096
+		dd if=/dev/urandom of="$1" conv=notrunc bs=1 count=$size >/dev/null 2>&1
+		dd if=/dev/zero of="$1" conv=notrunc bs=1 count=$size >/dev/null 2>&1
+		rm "$1"
+	fi
+}
+
 # Open a LUKS device
 # It is either the root or a swap, other devices are supported in the scripts provided with sys-fs/cryptsetup-luks
 # $1 - root/swap
@@ -681,8 +693,11 @@
 	eval local LUKS_DEVICE='"${CRYPT_'${TYPE}'}"' LUKS_NAME="$1" LUKS_KEY='"${CRYPT_'${TYPE}'_KEY}"' LUKS_KEYDEV='"${CRYPT_'${TYPE}'_KEYDEV}"'
 	local DEV_ERROR=0 KEY_ERROR=0 KEYDEV_ERROR=0
 	local mntkey="/mnt/key/" cryptsetup_options=''
+	local LUKS_KEY_PLAIN=${LUKS_KEY%.gpg}
+	local LUKS_KEY_TMP="/temp/key-${LUKS_KEY_PLAIN}"
 
 	[ ! -e /sbin/cryptsetup ] && bad_msg "The initrd does not support LUKS" && exit 1
+	[ "$LUKS_KEY_PLAIN" != "$LUKS_KEY" ] && [ ! -e /sbin/gpg ] && bad_msg "The initrd does not suport GPG" && exit 1
 	while [ 1 ]
 	do
 		# if crypt_silent=1 and some error occurs, enter shell quietly
@@ -762,14 +777,27 @@
 								umount -n ${mntkey} 2>/dev/null >/dev/null
 								KEY_ERROR=1
 								KEYDEV_ERROR=1
-								bad_msg "Key {LUKS_KEY} on device ${LUKS_KEYDEV} not found." ${CRYPT_SILENT}
+								bad_msg "Key ${LUKS_KEY} on device ${LUKS_KEYDEV} not found." ${CRYPT_SILENT}
 								continue
 							fi
 						fi
 					fi
 					# At this point a candidate key exists (either mounted before or not)
 					good_msg "${LUKS_KEY} on device ${LUKS_KEYDEV} found" ${CRYPT_SILENT}
-					cryptsetup_options="-d ${mntkey}${LUKS_KEY}"
+					# Is gpg encrypted?
+					if [ "${LUKS_KEY_PLAIN}" != "${LUKS_KEY}" ] ; then
+						if [ ! -e "${LUKS_KEY_TMP}" ] ; then
+							gpg --homedir /.gpg -o "${LUKS_KEY_TMP}" "${mntkey}${LUKS_KEY}"
+							if [ ! -e "${LUKS_KEY_TMP}" ] ; then
+								KEY_ERROR=1
+								bad_msg "Unable to decrypt ${LUKS_KEY}" ${CRYPT_SILENT}
+								continue
+							fi
+						fi
+						cryptsetup_options="-d ${LUKS_KEY_TMP}"
+					else
+						cryptsetup_options="-d ${mntkey}${LUKS_KEY}"
+					fi
 				fi
 				# At this point, keyfile or not, we're ready!
 				crypt_filter "cryptsetup ${cryptsetup_options} luksOpen ${LUKS_DEVICE} ${LUKS_NAME}"
@@ -788,6 +816,11 @@
 	done
 	umount ${mntkey} 2>/dev/null >/dev/null
 	rmdir -p ${mntkey} 2>/dev/null >/dev/null
+	if [ ${DEV_ERROR} != 0 ] || [ ${KEY_ERROR} != 0 ] || [ ${KEYDEV_ERROR} != 0 ] ; then
+		for i in /temp/key-* ; do
+			wipeFile "${i}"
+		done
+	fi
 }
 
 startLUKS() {
@@ -820,6 +853,11 @@
 			REAL_RESUME="/dev/mapper/swap"
 		fi
 	fi
+
+	# wipe decrypted key files
+	for i in /temp/key-* ; do
+		wipeFile "${i}"
+	done
 }
 
 sdelay() {