I'ld do the same thing for keyfs also, i.e., put /adm/keys and /adm/secsore
on the kfs and not make them visible to most processes.  You'll have
to protect /srv/kfs and /srv/kfs.cmd also so that only the hostowner
can open them.