Unrelated to unlocking devices...but LUKS is a really nice piece of software for linux. You throw any block device(real or otherwise) to it, and you get a /dev/mapper/ volume that transparently encrypts anything written to it.
Other than encrypting my local workstations, you can also use it on VMs from linode/digitalocean/aws/gcp/etc. If you store all your sensitive data beneath /home for example, you can boot the instance, use OOB console to access it, decrypt and mount /home, then SSH and it's business as usual. This gives you (some) protection against a malicious actor at your provider snooping your volumes.
edit: typo
You can even setup SSH to the bootloader to unlock LUKS if it reboots.
Yup, earlyssh - I found it a massive pain to set up, but it works.
Interesting, I've never heard of earlyssh as an option--I've used dropbear-initramfs for this in the past.
Same here, I have been using dropbear-initramfs since forever. I am now looking into Mandos[1] though, as doing it manually with Dropbear becomes a massive pain when managing several bare-metal servers.
Another solution in the same space is Clevis[1]; last time I was researching this problem, I came across it via Red Hat's docs[2].
[1]: https://github.com/latchset/clevis
[2]: https://access.redhat.com/documentation/en-us/red_hat_enterp...