Support for ZFS native encryption using the SMAPIv3 ZFS driver #772
Description
ZFS has native support for encryption. I can create an encrypted ZFS pool just fine, and I can create an SR for that pool. However, when I reboot there is no loading of the key (file-based) and the SR does not attach.
I have tried following various examples for loading the key using a systemd service, but none seem to work for xcp-ng because it seems the key does not get loaded after the pool is imported even if I direct the custom service to run after the zfs-import.service and before zfs-mount.service.
The only way I was able to ensure the keys get loaded is to issue a zpool import command before loading the keys. I have the following service enabled:
[Unit]
Description=Load ZFS keys
DefaultDependencies=no
After=zfs-import.target
Before=zfs-mount.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStartPre=/usr/sbin/zpool import -a
ExecStart=/usr/sbin/zfs load-key -a
ExecStartPost=/usr/sbin/zfs mount -a
[Install]
WantedBy=zfs-mount.service
With this I can finally get the SR connected at boot up. Is there a better more supported way to handle encrypted ZFS pools in XCP-ng?