Agree, apart from a full-on keylogger, given the password was not super trivial to guess, is some other bad practice like unencrypted swap, though I hope there never was a distro that suggested that setup if you choose full disk encryption in the installer. If he was under surveillance a tampered with initramfs would be my guess.