# [SOLVED] How to unlock encrypted zfs datasets during boot?

## crocket

I want to open multiple encrypted zfs datasets during boot by entering a password once.

Even root partition is an encrypted zfs dataset.

Different datasets belong to different zfs pools but have the same passphrase. Thus, they need to be opened separately by something.Last edited by crocket on Mon Nov 29, 2021 1:57 am; edited 1 time in total

----------

## mrbassie

I guess you could use zfs-change-key to switch to using keyfiles instead (I think you can switch between key types ...?), set the keylocation to be /whatever so that only /  is decrypted with a passphrase and script loading the keyfiles.

----------

## crocket

 *mrbassie wrote:*   

> I guess you could use zfs-change-key to switch to using keyfiles instead (I think you can switch between key types ...?), set the keylocation to be /whatever so that only /  is decrypted with a passphrase and script loading the keyfiles.

 

The problem is that a zfs dataset can contain only one key. If I lose the key file accidentally, I cannot ever recover the encrypted dataset again.

LUKS supports multiple keys. One of them can be a passphrase. Another can be a keyfile.

Also, a keyfile can be stolen by hackers. I can memorize one passphrase.

I figured out a dirty way to unlock multiple encrypted zfs datasets with one passphrase during boot.Last edited by crocket on Mon Nov 29, 2021 2:08 am; edited 1 time in total

----------

## crocket

I found a dirty way to unlock encrypted zfs datasets with one passphrase during boot.

/usr/lib/dracut/modules.d/99local/module-setup.sh

```
#!/bin/sh

check() {

  return 0

}

depends() {

  echo zfs

  return 0

}

install() {

  inst_hook pre-mount 80 "${moddir}/zfs-load-key-all.sh"

}
```

/usr/lib/dracut/modules.d/99local/zfs-load-key-all.sh

```
modprobe zfs

zpool import -N -a

echo 3 > /proc/sys/kernel/printk

while true; do

  stty -echo

  read -p "Passphrase for datasets: " PASS

  stty echo

  echo "$PASS" | zfs load-key encryption-root1 || continue

  echo "$PASS" | zfs load-key encryption-root2 || continue

  break

done
```

Execute

```
dracut --kver $(uname -r) --force
```

Somehow, `modprobe zfs` and `zpool import -N -a` are necessary.

`echo 3 > /proc/sys/kernel/printk` makes kernel print only error messages. Otherwise, kernel prints verbose messages over passphrase prompt.

The scripts are dirty because I didn't have time for cleanness. I can clean them up later.

----------

