Working on adding the hashed file directory on install time

includes/install.core.inc

@@ -968,6 +968,12 @@ function install_settings_form_submit($form, &$form_state) {
     'value'    => drupal_hash_base64(drupal_random_bytes(55)),
     'required' => TRUE,
   );
+  // This duplicates drupal_get_token() because that function relies on a 
+  // global hash salt which hasn't been set yet.
+  $settings['drupal_config_directory'] = array(
+    'value'     => 'config_' . drupal_hmac_base64($value, session_id() . drupal_get_private_key() . $settings['drupal_hash_salt']['value']),
+    'required'  => TRUE,
+  );
   drupal_rewrite_settings($settings);
   // Indicate that the settings file has been verified, and check the database
   // for the last completed task, now that we have a valid connection. This

sites/default/default.settings.php

@@ -211,6 +211,21 @@ $update_free_access = FALSE;
  */
 $drupal_hash_salt = '';
 
+/**
+ * Location of the site configuration files.
+ *
+ * By default, Drupal configuration files are stored in a randomly named
+ * directory under the default public files path etc.
+ *
+ * For enhanced security, you may set this variable to a location
+ * outside your docroot.
+ *
+ * Example:
+ *   $drupal_config_directory = '/some/directory/outside/webroot';
+ *
+ */
+$drupal_config_directory = '';
+
 /**
  * Base URL (optional).
  *