Since at least the import of ZoL/new OpenZFS, zfs has supported encrypted datasets, with password or file keys. These can be mounted via 'zfs mount -l' or 'zfs load-key -a'. This isn't automatically done at boot, but could be by adding the '-l' flag to the zfs mount command in the rc script.
Created attachment 225750 [details] Patch to add knob to rc.conf to automount zfs filesystems Here's a patch that adds a flag to rc.conf ("zfs_mount_encrypted") that, if enabled, will load keys and automount encrypted ZFS filesystems on boot. By default the option would be disabled to maintain existing behaviour. The patch also includes documentation for the rc.conf man page.
Comment on attachment 225750 [details] Patch to add knob to rc.conf to automount zfs filesystems Does this work with both keylocations, prompt and file?
(In reply to Alan Somers from comment #2) Good point! I tested this with a file key only. I imagine the desired behavior with passphrase would be to prompt at boot like when using GELI on root. I'll take a look at this tonight.
Also: ⚙ D30015 Add zfskeys script to /etc/rc.d for auto-loading zfs keys <https://reviews.freebsd.org/D30015>
Comment on attachment 225750 [details] Patch to add knob to rc.conf to automount zfs filesystems (In reply to Graham Perrin from comment #4) Yes, that looks much more complete! Once it's merged I think this issue should be closed.
<https://cgit.freebsd.org/src/commit/?id=33ff39796ffe469a764e485ac49c31700a51fd6f> Cherry pick: <https://cgit.freebsd.org/src/commit/?id=e81b2348d2101f33043e4a4ab3e24f4d69bac073&h=stable%2F13>
/libexec/rc/rc.d/zfskeys – does not exist with my recently built FreeBSD 14.0-CURRENT. I'm confused. root@mowa219-gjp4-8570p-freebsd:~ # service zfskeys restart zfskeys does not exist in /etc/rc.d or the local startup directories (/usr/local/etc/rc.d), or is not executable root@mowa219-gjp4-8570p-freebsd:~ # file /libexec/rc/rc.d/zfskeys /libexec/rc/rc.d/zfskeys: cannot open `/libexec/rc/rc.d/zfskeys' (No such file or directory) root@mowa219-gjp4-8570p-freebsd:~ # uname -aKU FreeBSD mowa219-gjp4-8570p-freebsd 14.0-CURRENT FreeBSD 14.0-CURRENT #113 main-n250242-eab5358b908: Mon Oct 25 05:40:35 BST 2021 root@mowa219-gjp4-8570p-freebsd:/usr/obj/usr/src/amd64.amd64/sys/GENERIC-NODEBUG amd64 1400039 1400039 root@mowa219-gjp4-8570p-freebsd:~ #
(In reply to Graham Perrin from comment #7) > /libexec/rc/rc.d/zfskeys > > – does not exist with my recently built FreeBSD 14.0-CURRENT. > I'm confused. Sorry, PEBKAM above but still, I'm confused by the absence of zfskeys: % ls -hl /etc/rc.d/zfs* -r-xr-xr-x 1 root wheel 872B 1 Jan 2021 /etc/rc.d/zfs -r-xr-xr-x 1 root wheel 1.7K 1 Jan 2021 /etc/rc.d/zfsbe -r-xr-xr-x 1 root wheel 209B 1 Jan 2021 /etc/rc.d/zfsd %
zfskeys is not listed in libexec/rc/rc.d/Makefile and tools/build/mk/OptionalObsoleteFiles.inc. Test build running... diff --git a/libexec/rc/rc.d/Makefile b/libexec/rc/rc.d/Makefile index 4c7267552526..36b8a91727dc 100644 --- a/libexec/rc/rc.d/Makefile +++ b/libexec/rc/rc.d/Makefile @@ -323,6 +323,7 @@ CONFGROUPS+= ZFS ZFS+= zfs ZFS+= zfsbe ZFS+= zfsd +ZFS+= zfskeys ZFS+= zpool ZFS+= zvol ZFSPACKAGE= rc diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/OptionalObsoleteFiles.inc index 96156a80f2e3..0cfa3428ee21 100644 --- a/tools/build/mk/OptionalObsoleteFiles.inc +++ b/tools/build/mk/OptionalObsoleteFiles.inc @@ -1118,8 +1118,9 @@ OLD_FILES+=boot/gptzfsboot OLD_FILES+=boot/zfsboot OLD_FILES+=boot/zfsloader OLD_FILES+=etc/rc.d/zfs -OLD_FILES+=etc/rc.d/zfsd OLD_FILES+=etc/rc.d/zfsbe +OLD_FILES+=etc/rc.d/zfsd +OLD_FILES+=etc/rc.d/zfskeys OLD_FILES+=etc/rc.d/zvol OLD_FILES+=etc/devd/zfs.conf OLD_FILES+=etc/periodic/daily/404.status-zfs
*** Bug 259892 has been marked as a duplicate of this bug. ***
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=a58135eb092748caf383bc82306af522ff311d9d commit a58135eb092748caf383bc82306af522ff311d9d Author: Herbert J. Skuhra <herbert@gojira.at> AuthorDate: 2021-12-03 00:44:55 +0000 Commit: Mateusz Piotrowski <0mp@FreeBSD.org> CommitDate: 2021-12-03 01:05:55 +0000 OptionalObsoleteFiles.inc: Add rc.d/zfskeys While here, sort the etc/rc.d entries. PR: 256483 Reviewed by: allanjude Approved by: allanjude (src) MFC after: 3 days Sponsored by: Modirum MDPay Sponsored by: Klara Inc. Differential Revision: https://reviews.freebsd.org/D33238 tools/build/mk/OptionalObsoleteFiles.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=4a10f984d8e54d5115574d1ed354264921dfb2d3 commit 4a10f984d8e54d5115574d1ed354264921dfb2d3 Author: Herbert J. Skuhra <herbert@gojira.at> AuthorDate: 2021-12-03 00:44:55 +0000 Commit: Mateusz Piotrowski <0mp@FreeBSD.org> CommitDate: 2021-12-06 09:56:28 +0000 OptionalObsoleteFiles.inc: Add rc.d/zfskeys While here, sort the etc/rc.d entries. PR: 256483 Reviewed by: allanjude Approved by: allanjude (src) MFC after: 3 days Sponsored by: Modirum MDPay Sponsored by: Klara Inc. Differential Revision: https://reviews.freebsd.org/D33238 (cherry picked from commit a58135eb092748caf383bc82306af522ff311d9d) tools/build/mk/OptionalObsoleteFiles.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)