Status: Proposal — not implemented.
Opt-in per-volume LUKS2 encryption, decrypted host-side by capsuled. Per-volume keys are wrapped by a node master key that capsuled unseals from the TPM at boot (preferred) or derives from an operator passphrase (TPM-less fallback). Every encrypted volume carries a recovery key printed once at create time; the node master carries a master recovery code printed once at init — both LUKS-native escape hatches that survive TPM death, motherboard swap, or disk relocation.
Invariant: no single hardware failure, config change, or capsuled crash makes data unrecoverable, provided the operator kept the emitted recovery codes.
📄 Full proposal: https://github.com/Project-Capsule/capsule/blob/main/docs/encrypted-volumes.md
Status: Proposal — not implemented.
Opt-in per-volume LUKS2 encryption, decrypted host-side by capsuled. Per-volume keys are wrapped by a node master key that capsuled unseals from the TPM at boot (preferred) or derives from an operator passphrase (TPM-less fallback). Every encrypted volume carries a recovery key printed once at create time; the node master carries a master recovery code printed once at init — both LUKS-native escape hatches that survive TPM death, motherboard swap, or disk relocation.
Invariant: no single hardware failure, config change, or capsuled crash makes data unrecoverable, provided the operator kept the emitted recovery codes.
📄 Full proposal: https://github.com/Project-Capsule/capsule/blob/main/docs/encrypted-volumes.md