With the read-only media you've got a problem with upgrading the kernel, which, recently, you need to be doing quite often.
As for the PGP smartcard, I've posted a comment on the blog that it could hold the private key used for decrypting the keyfile for the Full-Disk Encryption.
As for the PGP smartcard, I've posted a comment on the blog that it could hold the private key used for decrypting the keyfile for the Full-Disk Encryption.