Code:
zfs create -o encryption=aes-256-ccm -o keyformat=passphrase -o keylocation=prompt ZT/encrypted2
zfs create -o encryption=aes-256-ccm -o keyformat=passphrase -o keylocation=prompt ZT/encrypted2
zfs load-key pool/dataset ...
zfs mount pool/dataset ...
You can refine this tozfs unmount pool/dataset
zfs unload-key pool/dataset
zfs mount -l pool/dataset
zfs unmount -u pool/dataset
It's possible, if desired, to decrypt and mount those encrypted datasets during boot, instead of after boot, by modifying /etc/rc.d/zfs. Passphrases are then asked during boot.I also see a reboot unloads the key.
# add -l option (see zfs-mount(8) )
...
zfs_start_main()
{
zfs mount -val
...
Transcend/VirtualBox
, I have two commands. zpool import Transcend ; zpool status Transcend && zfs load-key Transcend/VirtualBox && zfs mount Transcend/VirtualBox ; mount | grep Transcend
zfs load-key Transcend/VirtualBox && zfs mount Transcend/VirtualBox ; mount | grep Transcend && zpool status -v Transcend
zpool status
because USB in FreeBSD can be troublesome. The first command helped me to quickly tell whether errors occurred moments after import; if there were errors then I'd not attempt to load the key for the encrypted dataset. Eventually I learnt which ports to trust.