git: e8baa0024251 - stable/13 - rc.conf: Document zfskeys

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Mateusz Piotrowski <0mp_at_FreeBSD.org>
Date: Sun, 06 Mar 2022 20:22:31 UTC
The branch stable/13 has been updated by 0mp (doc, ports committer):

URL: https://cgit.FreeBSD.org/src/commit/?id=e8baa0024251e2002f873ff41e5d57eb3dded903

commit e8baa0024251e2002f873ff41e5d57eb3dded903
Author:     Mateusz Piotrowski <0mp@FreeBSD.org>
AuthorDate: 2022-03-03 19:03:09 +0000
Commit:     Mateusz Piotrowski <0mp@FreeBSD.org>
CommitDate: 2022-03-06 20:21:48 +0000

    rc.conf: Document zfskeys
    
    Fixes:          33ff39796ffe Add zfskeys rc.d script for auto-loading encryption keys
    MFC after:      3 days
    Reviewed by:    allanjude
    Sponsored by:   Modirum
    Sponsored by:   Klara, Inc
    Differential Revision:  https://reviews.freebsd.org/D34427
    
    (cherry picked from commit 8719e8a951b78ca555ed777e99d5e2b90f3c4e7b)
---
 share/man/man5/rc.conf.5 | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5
index e3b05f75f641..992b5da5ec98 100644
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd November 18, 2021
+.Dd March 3, 2022
 .Dt RC.CONF 5
 .Os
 .Sh NAME
@@ -4632,6 +4632,30 @@ If set to
 .Dq Li YES ,
 and a boot environment marked bootonce is successfully booted,
 it will be made permanently active.
+.It Va zfskeys_enable
+.Pq Vt bool
+If set to
+.Dq Li YES ,
+enable auto-loading of encryption keys for encrypted ZFS datasets.
+For every dataset the script will first load the appropriate encryption key
+and the attempt to unlock the dataset.
+.Pp
+The script operates only on datasets which are encrypted with
+ZFS native encryption
+and have a ZFS
+.Dq Li keylocation
+dataset property beginning with
+.Dq Li file:// .
+.It Va zfskeys_datasets
+.Pq Vt str
+A whitespace-separated list of ZFS datasets to unlock.
+The list is empty by default,
+which means that the script will attempt to unlock all datasets.
+.It Va zfskeys_timeout
+.Pq Vt int
+Define the total number of seconds to wait for the zfskeys script
+to unlock an encrypted dataset.
+The default is 10.
 .El
 .Sh FILES
 .Bl -tag -width ".Pa /etc/defaults/rc.conf" -compact