diff --git a/lib/libpam/pam.d/login b/lib/libpam/pam.d/login
--- a/lib/libpam/pam.d/login
+++ b/lib/libpam/pam.d/login
@@ -4,6 +4,7 @@
 #
 
 # auth
+#auth		optional	pam_zfs_key.so		homes=zroot/home
 auth		sufficient	pam_self.so		no_warn
 auth		include		system
 
@@ -13,6 +14,7 @@
 account		include		system
 
 # session
+#session		optional	pam_zfs_key.so		homes=zroot/home
 session		include		system
 
 # password
diff --git a/lib/libpam/pam.d/passwd b/lib/libpam/pam.d/passwd
--- a/lib/libpam/pam.d/passwd
+++ b/lib/libpam/pam.d/passwd
@@ -7,4 +7,5 @@
 
 # password
 #password	requisite	pam_passwdqc.so		enforce=users
+#password	optional	pam_zfs_key.so		homes=zroot/home
 password	required	pam_unix.so		no_warn try_first_pass nullok
diff --git a/usr.sbin/adduser/adduser.8 b/usr.sbin/adduser/adduser.8
--- a/usr.sbin/adduser/adduser.8
+++ b/usr.sbin/adduser/adduser.8
@@ -27,7 +27,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd December 1, 2024
+.Dd December 6, 2024
 .Dt ADDUSER 8
 .Os
 .Sh NAME
@@ -144,6 +144,28 @@
 I have been using this model for almost 10 years and found that it works
 for most situations, and has never gotten in the way.
 (Rod Grimes)
+.Sh ZFS ENCRYPTION
+If ZFS encryption is enabled on a home dataset,
+.Xr zfs-load-key 8
+must be run before mounting \-\- either
+at login, with the pam_zfs_key.so
+.Xr openpam 3
+module, or manually after login.
+.sp
+To configure
+.Xr zfs-load-key 8
+to run at login,
+uncomment lines that mention pam_zfs_key.so in the /etc/pam.d/login and
+/etc/pam.d/passwd files.
+Note that changing the user password with
+.Xr passwd 1
+does not update the ZFS encryption key.
+Use
+.Xr zfs-change-key 8
+to change the key.
+For auto-mount with pam_zfs_key.so,
+the encryption key must match the user password.
+Login via SSH can not auto-mount a ZFS-encrypted home dataset.
 .Sh CONFIGURATION
 The
 .Nm
diff --git a/usr.sbin/adduser/adduser.sh b/usr.sbin/adduser/adduser.sh
--- a/usr.sbin/adduser/adduser.sh
+++ b/usr.sbin/adduser/adduser.sh
@@ -257,7 +257,8 @@
 	# create ZFS dataset before home directory is created with pw
 	if [ "${Zcreate}" = "yes" ]; then
 		if [ "${Zencrypt}" = "yes" ]; then
-			echo "Enter encryption keyphrase for ZFS dataset (${zhome}):"
+			echo "Enter ZFS encryption keyphrase"
+			echo "(if auto-mount is required, then this key must match the password for the user) (${zhome}):"
 		fi
 		if [ -n "$BSDINSTALL_CHROOT" ]; then
 			create_zfs_chrooted_dataset
@@ -635,7 +636,7 @@
 #
 get_zfs_encryption() {
 	local _input= _prompt=
-	_prompt="Enable ZFS encryption? (yes/no) [${Zencrypt}]: "
+	_prompt="Enable ZFS encryption? (To auto-mount at login, see adduser(8).) (yes/no) [${Zencrypt}]: "
 	while : ; do
 		echo -n "$_prompt"
 		read _input
@@ -699,7 +700,7 @@
 #   Give new user ownership of newly created zfs dataset.
 #
 set_zfs_perms() {
-	if ! ${ZFSCMD} allow "${username}" create,destroy,mount,snapshot "${zhome}"; then
+	if ! ${ZFSCMD} allow "${username}" create,destroy,mount,snapshot,load-key,change-key "${zhome}"; then
 		err "There was an error setting permissions on ZFS dataset (${zhome})."
 		return 1
 	fi