Most important thing remember if it an encryption key it can be breached and can need to be replaced. It will be a lot nicer on users. if key replacement is only a reboot instead of disable secure boot mode.
Also to remember key replacement should be performed if person in charge of signing is replaced. So that a person who has left is not walking around with a master key. How is this going to be performed is a very serous consideration. Peter Dolding