If you want ZFS native encrypted data sets mounted automatically on system boot there isn't a service which comes with the base system to enable in
rc.conf.
Such a startup script should on system boot, after ZFS root is mounted, load the key file(s), mount the encrypted data set(s), and on shutdown, reboot umount them and unload the key(s).
Try the
rc(8) script down below. I'm sure there is a better way to do it, but it does the job (I took
/etc/rc.d/zfs as draft).
Assuming the encrypted data set was created like:
Code:
# openssl rand -hex 32 > /root/keyfile
# zfs create -o encryption=on -o keyformat=hex -o keylocation=file:///root/keyfile \
-o mountpoint=/encrypted pool/encrypted
zfsenc
Code:
#!/bin/sh
#
#
# PROVIDE: zfsenc
# REQUIRE: zfs
. /etc/rc.subr
name="zfsenc"
desc="Mount automatically encrypted data sets"
rcvar="zfsenc_enable"
start_cmd="zfsenc_start"
stop_cmd="zfsenc_stop"
: ${zfsenc_enable:="NO"}
zfsenc_start()
{
zfs load-key -L file:///root/keyfile pool/encrypted
zfs mount pool/encrypted
}
zfsenc_stop()
{
zfs umount -u pool/encrypted
}
load_rc_config $name
run_rc_command "$1"
Copy and modify script to your needs, i.e. replace 'encrypted' with name of choice. If there are more encrypted data sets, those can be listed under
zfsenc_start and
*_stop.
Copy script to location, change permissions, include service to
rc.conf, start service:
Code:
# cp zfsenc /etc/rc.d
# chmod 555 /etc/rc.d/zfsenc
# sysrc zfsenc_enable=YES
# service zfsenc start
Check if it's working, put some files in
/encrypted:
Code:
# cp <some files> /encrypted
# ls /encrypted
<some files>
# service zfsenc stop
# ls /encrypted
#
Take a note somewhere about the made modification to the system, preferable outside the system. It's always best to track such modifications in case of strange behavior during the boot process, not evident immediate.
