Comment on [deleted]
dont@lemmy.world 4 weeks agoYes, I was thinking about storing encrypted keys, but still, using claims is clearly just wrong… Using a vault to store the key is probably the way to go, even though it adds another service the setup depends on.
Eknz@lemmy.eknz.org 4 weeks ago
A fall-back to the current way of unlocking the drive would probably be a good idea. It wouldn’t be fun to lose access to something because a cloud service went down or access to it was lost etc.
dont@lemmy.world 4 weeks ago
Definitely! I have bmc/kvm everywhere (well, everywhere that matters).
I have talked myself out of this (for now), though. I think if I ever find the time to revisit this, I will try to to it by injecting some oidc-based approval (memo to myself: ciba flow?) into something like clevis/tang.