warn about keyfiles

tsa/howto/new-machine-hetzner-robot.mdwn

@@ -171,7 +171,12 @@ which we'll use below.
         cryptsetup luksRemoveKey /dev/md1 --key-file=/tmp/fai/crypt_dev_md1 &&
         cryptsetup luksRemoveKey /dev/md2 --key-file=/tmp/fai/crypt_dev_md2
 
-    ... although that doesn't correctly setup the second disk to use a keyfile.
+    ... although that doesn't correctly setup the second disk to use a
+    keyfile.
+    
+    TODO: in an install following the above procedure, a keyfile was
+    left unprotected in `/etc`. Make sure we have strong mechanisms to
+    avoid that ever happening again.
 
  8. Review the crypto configuration: