Protect signing keys

The keys in /etc/secure-boot/*.key should be protected, maybe moved on an automount usb or protected with a passphrase. 
For the second option that would interfere with automatically running the post-install hook in pacman.
