Break-glass recovery == change the dTPM or the entire device (but not local storage) of an enrolled device.
This requires decrypting enrolled assets as encrypted to an escrow agent's key, then re-encryption to the new EKpub. Decryption of enrolled assets with the escrow key might require off-line interactions, or executing complex EA policies, but sbin/attest-enroll should at least support use of trivial escrow agents.
Break-glass recovery == change the dTPM or the entire device (but not local storage) of an enrolled device.
This requires decrypting enrolled assets as encrypted to an escrow agent's key, then re-encryption to the new
EKpub. Decryption of enrolled assets with the escrow key might require off-line interactions, or executing complex EA policies, butsbin/attest-enrollshould at least support use of trivial escrow agents.