@mike I wrote a script using openssl at previous job that used a combination of hostname, service tag, and some salt known by the team to generate a long password for full disk encryption so it couldn't really be "lost" and anyone who needed to reboot a server could get it but it's still major yikes territory. These things are hard to do at scale without involving more technology that can't be offline at the wrong time