@mike If consentomatic can't deal with it, I use reader mode, and if that can't I close the tab.

@jackemled @vampirdaddy In my case, backup service is a single use key limited only being able to send snapshots, no shell, no recv, not used for anything else. And the duress lock sends a burndown (wipe key from backup endpoint) and wipes that local key after the backup completes.

@vampirdaddy @jgilbert @tom @dianea pam does the check for screen unlock too so it'll work there. The duress password is what you put on the post-it. And you make it cry for help (send network notif), wipe keys, snapshot and backup, and shutdown.

Zfs can send incrementals of encrypted volumes without having the key. The data is not destroyed, just locked by a key that is no longer on the device.