Retrievable secrets
Retrievable secrets can securely provision sensitive data into a guest at boot.
Retrievable secrets can be plaintext or protected key material. For example, a plaintext item can be a LUKS passphrase used to open an encrypted root volume or an initial root SSH password. In practice, plaintext retrievable secrets are most useful for one-time or short-lived secrets that the guest consumes early in init, such as for unlocking volumes, seeding local key stores, or injecting admin credentials.
Protected key material can be paired with a protected key or hardware-accelerated primitives. These secrets can be used by applications that call CPACF crypto instructions or by kernel facilities such as the pkey modules and PAES cipher implementations.