The use of conditions means no password will be asked if the key is already available, so it should also be safe to add as a default
The lack of instance parameters (starting zfs-askpassword instead of the parametrized zfs-askpassword@rpool-enc) is managed via DefaultInstance=pool-enc which can be used to hardcode a default name (here pool/enc due to how systemd escaping works)
The ExecStart line can be modified to support other methods to provide the key, for example tpm2 based (unseal) or luks based (by specifying the location of the keyfile on the filesystem)
Currently, the solution depends on 2 services: zfs-askpassword@.service and zfs-remount.service due to my limited understanding of the systemd ordering sequence for sd-zfs.
However, the 2nd service is only present to have zfs mount mount the non-legacy dataset in their expected mointpoints on the filesystem as a separate step: if deemed desirable, the same result could be achieved via:
ExecStartPost=+/bin/sh -c 'zfs mount -a'
Ideally, this service would be generated by sd-zfs, to correctly fill the default DefaultInstance=pool-enc based on the bpool parameter, and automatically include the dependencies from systemd-ask-password in mkinitcpio.conf:
FILES should contain /etc/systemd/system/sysroot.mount.wants/zfs-askpassword@rpool-enc.service /usr/lib/systemd/system/systemd-ask-password-console.service if rpool/enc is the natively encrypted bpool
BINARIES should contain systemd-ask-password systemd-tty-ask-password-agent and anything else needed for other methods (ex: tpm2_unseal or luks binaries)
Native encryption is currently not supported.
PR#4 offers a C based solution, but it hasn't been mainlined yet
I'd like to suggest an alternative solution that could be immediately mainlined since it's a pure systemd based solution: it only requires starting the service :
systemctl daemon-reload ; systemctl start --now zfs-askpassword@rpool-encThe use of conditions means no password will be asked if the key is already available, so it should also be safe to add as a default
The lack of instance parameters (starting zfs-askpassword instead of the parametrized zfs-askpassword@rpool-enc) is managed via
DefaultInstance=pool-encwhich can be used to hardcode a default name (herepool/encdue to how systemd escaping works)The ExecStart line can be modified to support other methods to provide the key, for example tpm2 based (unseal) or luks based (by specifying the location of the keyfile on the filesystem)
Currently, the solution depends on 2 services:
zfs-askpassword@.serviceandzfs-remount.servicedue to my limited understanding of the systemd ordering sequence for sd-zfs.However, the 2nd service is only present to have
zfs mountmount the non-legacy dataset in their expected mointpoints on the filesystem as a separate step: if deemed desirable, the same result could be achieved via:Ideally, this service would be generated by sd-zfs, to correctly fill the default
DefaultInstance=pool-encbased on the bpool parameter, and automatically include the dependencies from systemd-ask-password in mkinitcpio.conf:/etc/systemd/system/sysroot.mount.wants/zfs-askpassword@rpool-enc.service /usr/lib/systemd/system/systemd-ask-password-console.serviceif rpool/enc is the natively encrypted bpoolsystemd-ask-password systemd-tty-ask-password-agentand anything else needed for other methods (ex: tpm2_unseal or luks binaries)