How to auto load-key and mount natively encrypted ZFS Pool (no luks)

The issue/contextI imported my encrypted zfs pool from TrueNAS SCALE and everything work well so far, except when I reboot I have to login and simply type:

zfs load-key $pool && zfs mount $pool

My question for OMV

it is in the roadmap of OMV to include these options

1. create an encrypted zfs pool via the WebUI
2. doing the load-key automatically at boot

My HowTo for whom want encrypted zfs pool on their OMV

Be aware

1. native encrypted zfs is not fully privacy full proof; if someone have physical access to your machine, he will potentially be able to list (ls -R /encrypted-zpool) the files but not reading the content of these files (cat /encrypted-zpool/file) on your zfs drive even if the key is unloaded.
2. I switch (export/import) my encrypted zpool mirror from debian and ubuntu based system without issues, you just need to know which version of openZFS you are using, and it'salgorithms limitations/incompatibilities.
3. mirror are the best; zraid with 3,4,5 disk will slow down your drive access time (I/O); if you want more security do 2 mirrors and replicate them.
4. For most of the usage case; ZIL and SLOG are useless for home and SOHO (small office/home office); I mean most home/SOHO will be limited by their network anyway.

as root

1. create your key and store it somewhere it is accessible during the boot process.

dd if=/dev/urandom of=/etc/zfs/zpool.key bs=1 count=32

2. use the drive ID (here an example:)

dataset_name=ssd
drive1=/dev/disk/by-id/ata-Samsung_SSD_860_PRO_256GB_S42VNF0K205921K
drive2=/dev/disk/by-id/ata-Samsung_SSD_860_PRO_256GB_S5GANE0N204528K

zpool create -f $dataset_name mirror $drive1 $drive2 -O encryption=aes-256-gcm -O keyformat=raw -O keylocation=file:///etc/zfs/zpool.key

3. create zfs-load-key service

cat << 'EOF' > /etc/systemd/system/zfs-load-key@.service
[Unit]
Description=Load ZFS keys
DefaultDependencies=no
Before=zfs-mount.service
After=zfs-import.target
Requires=zfs-import.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/zfs load-key %I

[Install]
WantedBy=zfs-mount.service
EOF

4. enable the service for each encrypted ZFS pool created.*

systemctl enable zfs-load-key@$dataset_name

*from time to time, escaping characters will be included in the $dataset_name variable; to resolve this...

systemctl status zfs-load-key [TAB] [TAB]
systemctl disable zfs-load-key@$dataset_name
systemctl enable zfs-load-key@ssd
systemctl daemon-reload

References

- create encrypted zfs pool: https://wiki.archlinux.org/title/ZFS#Native_encryption

- script zfs-load-key: https://github.com/openzfs/zfs…50#issuecomment-497500144

and now the bonus track for who may read until the end

You may have notice since you installed zfs; mdadm try to mount raid without success at every boot, at maybe I'm picky, but this was annoying me.

So I was able to speed up my boot by removing every file md* inside /usr/share/initramfs-tools/

ls -R /usr/share/initramfs-tools/*|grep ^md
update-initramfs -u

and now no more time waiting for mdadm which randomly mount raid's

ps: I also took the time to remove every file which was pointed at btrfs, dm, lvm, ntfs, xfs without any issue

ref: https://unix.stackexchange.com/a/673315/88344

It is possible to install Debian with an encrypted ZFS pool as root /

https://openzfs.github.io/open…Started/Debian/index.html

so potentially it is possible to be FULL encrypted ZFS with OpenMediaVault

To use your zfs with share and samba properly you should set acltype to posixacl and for performance reason xattr to sa

to do so

zfs set acltype=posixacl $dataset_name

zfs set xattr=sa $dataset_name