Page MenuHomeFreeBSD

zfskeys: Support autoloading of keys stored on ZFS

Authored by 0mp on Mar 18 2022, 12:51 PM.
Referenced Files
Unknown Object (File)
Jan 9 2023, 11:13 PM
Unknown Object (File)
Jan 9 2023, 11:03 AM
Unknown Object (File)
Dec 14 2022, 6:55 PM
Unknown Object (File)
Dec 10 2022, 12:07 AM



The zfskeys service script starts before the zfs service script so that
dataset decryption keys are available when zfs mount -a is run. One of
the potential edge cases of this design is that if a key is stored on
ZFS it won't be loaded until zfs mount -a is issued.

In order to address that, let's try to load the keys and mount related
ZFS datasets after the zfs script finishes its standard mounting

PR: 262468
Reported by: Graham Perrin <>
Fixes: 33ff39796ffe Add zfskeys rc.d script for auto-loading encryption keys
MFC after: 3 days
Sponsored by: Modirum
Sponsored by: Klara Inc.

Test Plan

Given this Makefile:

MP1=	${.CURDIR}/1
MP2=	${MP1}/2
KEY1=	${.CURDIR}/key1
KEY2=	${MP1}/key2

DS1=	zroot/zzztmp1
DS2=	zroot/zzztmp2

	echo 12345678 > ${KEY1}
	zfs create -o encryption=on -o keyformat=passphrase -o keylocation=file://${KEY1} -o mountpoint=${MP1} ${DS1}

	echo 12345678 > ${KEY2}
	zfs create -o encryption=on -o keyformat=passphrase -o keylocation=file://${KEY2} -o mountpoint=${MP2} ${DS2}

	touch ${MP2}/hi

	find ${MP1}


make all
# Run zfskeys stop twice to make sure both MP1 and MP2 are unmounted:
/etc/rc.d/zfskeys stop
/etc/rc.d/zfskeys stop
# Simulate the rc boot sequence:
/etc/rc.d/zfskeys start
/etc/rc.d/zfs start

You should observe something along the lines of:

# /etc/rc.d/zfskeys start
Loading key for zroot/zzztmp1 from file:///usr/home/0mp/zfskeys/key1..
Key file /usr/home/0mp/zfskeys/1/key2 not found, empty or unreadable. Skipping zroot/zzztmp2..

# /etc/rc.d/zfs start
Key already loaded for zroot/zzztmp1.
Loading key for zroot/zzztmp2 from file:///usr/home/0mp/klara/zfskeys/1/key2..

Diff Detail

rG FreeBSD src repository
Lint Not Applicable
Tests Not Applicable

Event Timeline

0mp requested review of this revision.Mar 18 2022, 12:51 PM

Why do we check this? Would we even get here if it wasn't true?

This revision is now accepted and ready to land.Mar 18 2022, 1:05 PM

Yes, as this is the zfs service script, not zfskeys. So this if is going to be useful when zfs is enabled and zfskeys is not.


Of course, badly phrased question. Also I just realised zfskeys would complain if it was invoked but not enabled. Excuse the noise, and thank you.

0mp marked an inline comment as done.Mar 18 2022, 1:33 PM
0mp added inline comments.

Ah, yes, I avoiding complains from zfskeys is another reason. :)