So an interesting thought here...
We are currently running Ansible Vault to store all our account passwords and associated keys. We are currently using LUKS full disk encryption on our virtual machines. To handle booting of these vms we are using this bootleg hack that pulls the key out of a key disk image. We want to stop using this hack. Because it's a hack. Clevis and Tang look extremely promising and we wanted to start using it.
I'm still not entirely familiar with how Tang stores keys and I was wondering if it was possible to integrate Tang into Vault, insofar as pulling hostkeys for decryption at boot.
Is this something that's possible? Are we totally off base here? Is there a better way to do what I'm trying to do?