A fall-back to the current way of unlocking the volume would probably be a good idea. It wouldn’t be fun to lose access to something because a cloud service went down or access to it was lost etc.

Ironically, the passphrase for the encryption wouldn’t be encrypted in this scenario as claims can be decoded from the token payload if intercepted. It would also probably be stored as-is server side as well. Claims aren’t designed as secrets.

Perhaps you could authorise a request to an actual secrets manager via oidc though, allowing the volume to be unlocked.

Did you see the external libraries options?