I'd like to encrypt some data on the server using a user-managed secret. I could just ask for a password and derive a key from that, but ideally I'd like to offer users the option of using a yubikey to safeguard the data. This way it would be more resistant to a DB leak scenario and potentially avoid replay attacks.
If I could fully specify the protocol, I'd have a symmetric key encrypted by a client private key, and would ask the client to decrypt the key in order to operate on the data.
Is there a way to leverage webauthn for this?