RFE: keyring trusted/encrypted key support
I would like to use encrypted keys with certain volumes, as the kernel supports transparently protecting them using a TPM.
Since the keys' raw contents are only accessible in-kernel, this would probably mean using them to hold the raw volume key – not a passphrase.
- If possible, dm-crypt should accept 'encrypted' and/or 'trusted' key types, as currently it only whitelists 'user' and 'logon'.
- cryptsetup should support directly using a specified keyring key as volume key (without any keyslot/passphrase prompt)…
- …or even better, support storing the sealed key in the header and automatically loading it into the kernel on demand (i.e. the equivalent of
keyctl add encrypted foo "load <blob>"
).
I'm using LUKS2 volumes with cryptsetup 2.1.0. Apologies if I've missed that this is already supported.