Remote Laptop disk encryption, break glass
I am stuck with an issue of needing a break glass account on remote laptops. It's a bit a strange situation. The laptops are built and rebuilt remotely using a small PXE setup that goes with the equipment.
The PXE server has a default password built in the the LUKS disk encryption, this is changed during the post install phase of the build by the user.
The obvious solution would be to build in a secondary key that I already know about. The problem with this is that the key would need to be shipped with the PXE server it basically becomes a back door that the users could abuse as all they need to do is have browse at the PXE/kickstart setup to find the password for the 2nd key.
Is there a way that a could asynchronously generate a key at run/build time that only I can discover or decode locally based on some parameter (maybe mac address and or something, I am sure there is a better parameter?)
Please any thoughts on this one, it has me stumped!
