On installation, PureOS sets up two ways to unlock the disk containing the root filesystem: One password-based and one keyfile based one.
The keyfile is /crypto_keyfile.bin on said disk. All subsequent partitions are unlocked using this keyfile, and all remounts can be done with it as well. The file itself consists of 2048 bytes of random data and is generated on installation time (live setups) or initial setup time (for OEM setups), so nobody except for the owner has access to it, and only if they decrypted the file with their password first.
So, in summary:
- Partition mounted as
/boot=> No encryption (can be verified by TPM) - Partition mounted as
/=> Encrypted with the user’s password and the randomly generated/crypto_keyfile.binas secondary key which is on/(hence, to access it you need to decrypt the partition first) - Partition mounted as swap => Reformatted and encrypted with a randomly generated key on every boot
- Every other partition that might exist on the system => Decrypted via
/crypto_keyfile.binafter the root filesystem has been mounted.
So, the second keyslot you see is very likely the one for the decryption file.