late reply. but i’ve been thinking about this one a lot more lately as i wouldn’t mind getting a newer machine. cryptsetup offers the ability to use a gpg encrypted keyfile with /boot to open a / drive for a host.
yes, there is the issue with a killed keyslot not being removed from an ssd. however, the method i prefer for encrypting disks with luks is probaby a good mitigation technique. after you create your luks encrypted host, create a random 8192 byte keyfile as your next key slot. then, gpg encrypt it and have /boot on a small external device that is easy to hide, lose or destroy. use the gpg encrypted keyfile with cryptsetup to unlock your host root drive.
in this regard, a potential compromise of someone witnessing you type your passphrase is less of an issue, since you can simply create a new boot drive in private with a new random key as described above and then destroy the old boot key. without access to the old boot key, an attacker is going to have a harder time decrypting an old key found in the presence of an ssd, simply because there is no way you will know a random 8192 byte passphrase, which is what will be the attack vector on the ssd.
the only other catch is that, when creating the initial luks drive during an install, you need to choose a passphrase that is sufficiently random enough so that you absolutely will not remember it after you discard it in favor of the 8192 keyfile based keyslot. but, it’s very doable.
if i’m missing something here, please share. i’ve avoided ssds due to this problem. however, i think the above use scenario is likely sufficient enough to prevent the pitfalls of the persistence of data on an ssd. if an attacker sees you type a passphrase, it’s simply not the actual key to unlocking the drive unless they happen to apprehend you with a copy of the /boot drive, which will natrually have the gpg encrypted keyfile on it. and, obviously, you’ll likely know the passphrase to decrypt the gpg encrypted keyfile.
perhaps this is all security theater. but with the above steps, particularly given how people tend to find themselves in trouble when it comes to encryption, i’m not sure the risks are potentially greater with an ssd at this point. to combat compromise of a passphrase in such scenarios generally requires advance knowledge. if you are caught by surprise with a standard magnetic drive or sdd, game is basically over depending on how barbaric your attacker is.