git: 97aeda224356 - main - zfskeys: Support autoloading of keys stored on ZFS

From: Mateusz Piotrowski <>
Date: Fri, 18 Mar 2022 13:55:38 UTC
The branch main has been updated by 0mp (doc, ports committer):


commit 97aeda2243568b386d792514996a06daec55eece
Author:     Mateusz Piotrowski <>
AuthorDate: 2022-03-18 12:35:16 +0000
Commit:     Mateusz Piotrowski <>
CommitDate: 2022-03-18 13:53:52 +0000

    zfskeys: Support autoloading of keys stored on ZFS
    The zfskeys service script starts before the zfs service script, so that
    dataset decryption keys are available when `zfs mount -a` is run. One of
    the potential edge cases of this design is that if a key is stored on
    ZFS it won't be loaded until `zfs mount -a` is issued.
    In order to address that let's try to load the additional keys and mount
    related ZFS datasets after the zfs script finishes its standard mounting
    PR:             262468
    Reported by:    Graham Perrin <>
    Reviewed by:    allanjude
    Approved by:    allanjude (src)
    Fixes:  33ff39796ffe Add zfskeys rc.d script for auto-loading encryption keys
    MFC after:      3 days
    Sponsored by:   Modirum
    Sponsored by:   Klara Inc.
    Differential Revision:
 libexec/rc/rc.d/zfs | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/libexec/rc/rc.d/zfs b/libexec/rc/rc.d/zfs
index 2d35f9b54642..dbc82f82c65b 100755
--- a/libexec/rc/rc.d/zfs
+++ b/libexec/rc/rc.d/zfs
@@ -13,6 +13,7 @@ name="zfs"
 desc="Mount and share ZFS datasets"
@@ -41,6 +42,17 @@ zfs_start()
+	# Some of the keys to decrypt datasets are potentially stored on ZFS
+	# datasets that just got mounted. Let's try to load those keys and
+	# mount the datasets.
+	if checkyesno zfskeys_enable; then
+		/etc/rc.d/zfskeys start
+		zfs_start
+	fi
 	if [ `$SYSCTL_N security.jail.mount_allowed` -eq 1 ]; then