gitbls
commented
2 months ago I've actually got this on my todo list, and have a couple of yubi keys in hand. I'll def get to it, no target date yet.
In the meantime, I hope you're finding sdm useful for your Pi projects.
Any chance you can add getting the LUKS key from OTP on boot with initramfs? It's pretty easy with https://github.com/raspberrypi/rpi-eeprom/blob/e430a41e7323a1e28fb42b53cf79e5ba9b5ee975/tools/rpi-otp-private-key
This would make it a lot more convenient and secure. Namely can sign the boot loader to prevent it from being modified then just decrypt LUKS automatically for reasonably security.
Sure you can dump the key if you manage root access but without root access, it seems secure.