LUKS volumes need configurable password and/or recovery keys

[jmpolom]

See problems described in #476 and #421 for context.

The bootc install to-disk --block-setup tpm2-luks feature needs to provision either a systemd-cryptenroll recovery key or a default/backup password for the root LUKS volume. This is a necessity to ensure systems can be booted and users are not locked out when TPM PCR hashes change (they can and will change over time as the system is maintained).

Sometimes TPM PCR hashes change -- this is an expected and intended thing that happens on any system used over a period of time since they measure aspects of the system (which can change over time). Solely relying on the TPM to unlock root volumes is risky and exposes users to a lockout/non bootable situation without a recovery key or password. A bad and completely avoidable experience.