luks2crypt
luks2crypt copied to clipboard
Use local stored key to manage recovery keys
luks2crypt should generate and use a local key to manage the escrowed recovery keys. This would allow luks2crypt to not keep a cleartext cached password locally on the host. It would also enable it to rotate passwords on a scheduled basis.
Ex:
- luks slot 1 would contain a locally generated cert stored in /etc/luks2crypt/adminkey
- luks slot 2 would contain a recovery key. This would then be escrowed an no local copy would be kept.
- luks slot 3+ would be used for user keys.
Luks2crypt would then be able to rotate slot 2 at a scheduled interval or with a cli flag.