Page MenuHomeFreeBSD

zfskeys: if location is prompt then prompt during boot

Authored by ambrisko on Aug 8 2022, 6:42 PM.
Referenced Files
Unknown Object (File)
Wed, Mar 12, 6:07 PM
Unknown Object (File)
Thu, Feb 27, 10:47 AM
Unknown Object (File)
Feb 22 2025, 2:06 PM
Unknown Object (File)
Feb 10 2025, 2:19 AM
Unknown Object (File)
Jan 10 2025, 11:06 AM
Unknown Object (File)
Jan 10 2025, 11:00 AM
Unknown Object (File)
Jan 10 2025, 6:19 AM
Unknown Object (File)
Jan 6 2025, 8:59 AM



Sometimes, prompting for the key is needed. If the ZFS key is to be
entered during boot, then prompt and accept the key during boot.

Test Plan

Tested with a ZFS encryption using a file for key and another test to prompt for key.

Diff Detail

rG FreeBSD src repository
Lint Not Applicable
Tests Not Applicable

Event Timeline

ambrisko added a reviewer: allanjude.

Do docs need to be updated?
Otherwise, I like it.


kl == prompt, so why obfuscate by expanding it here?

0mp requested changes to this revision.Sep 16 2022, 12:14 PM
In D36081#823478, @imp wrote:

Do docs need to be updated?

The rc.conf manual page does not document any of that at the moment. We probably should reference zfs-load-key(8) somewhere at least. This is not part of this revision though I'd say.

Otherwise, I like it.

I'm not sure if I don't understand the purpose of the /dev/tty redirects. Could you explain a bit the reason behind that construct?

Otherwise, seems OK as well


What's the reason for < /dev/tty > /dev/tty 2>/dev/tty?

This revision now requires changes to proceed.Sep 16 2022, 12:14 PM

Combining both questions.

I don't understand the "kl == prompt" question, if the key was set to prompt then we need to read the key from console. If is in not prompt mode then read the key from a file like the original code did. So when the ZFS key is set in prompt mode then it needs to read from /dev/tty etc. or it dies:

ZFS filesystem version: 5
ZFS storage pool version: features support (5000)
Key prompt for hdd_zfs_data_1/encrypted.
Key load error: encryption failure
 Key failed to load for hdd_zfs_data_1/encrypted.
Mounting /etc/fstab filesystems failed, startup aborted
ERROR: ABORTING BOOT (sending SIGTERM to parent)!

with /dev/tty:

ZFS filesystem version: 5
ZFS storage pool version: features support (5000)
Key prompt for hdd_zfs_data_1/encrypted.
Enter passphrase for 'hdd_zfs_data_1/encrypted':
<ZFS password entered>
Key loaded for hdd_zfs_data_1/encrypted.
Starting file system checks:
FreeBSD/amd64 (p15s) (ttyu0)


/dev/tty makes it read and write to the console so the key can be entered.

This revision was not accepted when it landed; it landed in state Needs Revision.Sep 12 2024, 4:35 PM
This revision was automatically updated to reflect the committed changes.