Right now, sled agents can reconstruct the RackSecret, which is in essence a large polynomial, where the secret shares are the coefficients of the polynomial. However, we need to derive an encryption key from this secret, likely using HKDF. This key itself will change whenever the RackSecret changes. Since we don't want to change our disk encryption keys, we should wrap the disk encryption keys in the derived secret. RFD 238 discusses how the RackSecret gets updated during reconfiguration of the rack.
Right now, sled agents can reconstruct the
RackSecret, which is in essence a large polynomial, where the secret shares are the coefficients of the polynomial. However, we need to derive an encryption key from this secret, likely using HKDF. This key itself will change whenever theRackSecretchanges. Since we don't want to change our disk encryption keys, we should wrap the disk encryption keys in the derived secret. RFD 238 discusses how theRackSecretgets updated during reconfiguration of the rack.