grub.cfg will need to be adjusted to take advantage of keyfile on pendrive
(filename should be configurable, uuid of pendrive probably too)
This shouldn't be much trouble. I can get this done soon.
One possibility to enable keyfile + passphrase would be to encrypt pendrive with keyfile, and unlock it with password.
This way there is no need to write extra code to support proper keyfile format
grub.cfg would look for pendrive of some particular label (LibreKey*? Random string?), cryptomount it, and use keyfile to mount HDD with FDE. If pendrive label is not found fall back to password unlock.
* probably LibreKey to make sure that people who care about it not being easily identifiable change it in the config. Together with offset for passphrase to hide it inside other file like some JPEG or something (polyglot/funky file format files)
perhaps grub.cfg could be stored on pendrive as well to make it harder to identify file hiding passphrase? ie. it would export few variables and reload grub.cfg from flash using include (this might not change anything, just make it harder to create pendrive). If implemented, it needs to be signed.