For network bound disk encryption and policy based decryption with Clevis & Tang, a new set of vault privileges is required.

1) write-only When the disk of a new host is encrypted, Clevis uses the host keytab to store a recovery key in KRA. The identifier of the key is the hostname + UUID of the LUKS partition. Clevis must not be able to read the recovery key from the vault again. It may need to be able to check for the presence of the recovery key, though.

2) read-only A user with a special Clevis recovery permission must be able to fetch the key from the KRA. Only users with this permission for a host or host group are allowed to retrieve the recovery key in order to recover a LUKS partition in case of a catastrophic failure.

3) delete-only Neither Clevis nor recovery users are allowed to delete a recovery key. We still want to have a way to remove keys in case a host or disk is removed indefinitely.

We may need to define a new vault type just for this special case and bind three new permissions to the new vault type.