not an issue but thought i'd add it here incase anyone is interested.
a bit ago if fiddled with ocicrypt key providers and came up with basic (alpha quality, charitably) ways to support ocicrypt with KMS (GCP for now) and TPM
allows you to encrypt an image remotely with a TPM's endorsement publicc key (EKPub). image is encrypted in such a way that it can only get decrypted on that tpm that owns the EK. You can also encrypt it remotely such that the target machine is in a specific state (as described by PCR values)
not an issue but thought i'd add it here incase anyone is interested.
a bit ago if fiddled with ocicrypt key providers and came up with basic (alpha quality, charitably) ways to support ocicrypt with KMS (GCP for now) and TPM
https://github.com/salrashid123/ocicrypt-kms-keyprovider
allows you to encrypt a layer with GCP KMS
https://github.com/salrashid123/ocicrypt-tpm-keyprovider
allows you to encrypt an image remotely with a TPM's endorsement publicc key (EKPub). image is encrypted in such a way that it can only get decrypted on that tpm that owns the EK. You can also encrypt it remotely such that the target machine is in a specific state (as described by PCR values)