diff --git a/overlay.d/05core/etc/grub.d/03_boot-etc b/overlay.d/05core/etc/grub.d/03_boot-etc
new file mode 100755
index 0000000000..3de5824fbb
--- /dev/null
+++ b/overlay.d/05core/etc/grub.d/03_boot-etc
@@ -0,0 +1,28 @@
+#!/bin/sh
+exec tail -n +3 $0
+
+# NOTE: This is superfluous without setting a password on Grub.
+#       However, this makes it far more difficult for someone to
+#       load up a different initramfs-etc.
+#
+# This code-path is enabled by running as root:
+#    /usr/sbin/initramfs-etc --create
+#
+# Then, in the blsconfig add "$initramfs_etc" to the initrd line, i.e
+#    initrd /initrd $initramfs_etc
+
+set initramfs_etc=""
+if [ -f "/initramfs-etc.img" ]; then
+     set initramfs_etc="/initramfs-etc.img"
+fi
+
+if [ -f "/coreos.checksums" ]; then
+    insmod gcry_sha256
+    hashsum --hash sha256 --check "/coreos.checksums"
+    if [ "$?" != "0" ]; then
+        unset initramfs_etc
+        echo "Failed to checksum"
+        sleep 30
+    fi
+fi
+
diff --git a/overlay.d/05core/usr/sbin/initramfs-etc b/overlay.d/05core/usr/sbin/initramfs-etc
new file mode 100755
index 0000000000..2613445896
--- /dev/null
+++ b/overlay.d/05core/usr/sbin/initramfs-etc
@@ -0,0 +1,51 @@
+#!/bin/bash
+#
+# This creates a config-only initramfs that is signed for use by Grub2.
+#
+
+create() {
+    local archive="/boot/initramfs-etc.img"
+    local includes="${@}";
+
+    if [ ! -d "${key_path}" ]; then
+        key_gen
+    fi
+
+    echo "Generating new ${archive} using Dracut"
+    echo "${archive} will only contain configuration data, no logic"
+
+    local cur_d="${PWD}"
+    local work_d=$(mktemp -d)
+    trap "rm -rf ${work_d}" EXIT
+
+    # Generate a real initrd, but we'll throw it away later
+    # This ensures that we get a "filtered" config, plus the
+    # extra's that we need.
+    dracut "${work_d}/work.img" $(uname -r) \
+           --add "lvm dm multipath" \
+           --hostonly-i18n \
+           --lvmconf \
+           --mdadmconf \
+           --no-hostonly-cmdline \
+           --no-compress \
+           --no-early-microcode \
+           -o "clevis" >> /dev/null
+
+    pushd "${work_d}" >> /dev/null
+    cpio -ic "etc*" < "${work_d}/work.img"
+    for x in "${includes_cfg[@]}"; do
+        test -e "etc/${x}" && cp -auR -t etc "etc/${x}"
+    done
+
+    rm -rf etc/systemd
+    find etc -print | cpio -o -c > "${work_d}/new.img"
+    popd >>/dev/null
+
+    mv "${work_d}/new.img" "${archive}"
+    pushd /boot >> /dev/null
+    ls -1 initramfs* > /boot/coreos.checksums
+    popd >> /dev/null
+    cat /boot/coreos.checksums
+}
+
+create