Hello ZFS experts!
I have zpools on various machines which have native-encrypted datasets which just sit there (they’re backups containing sensitive data).
Now, ideally, on some machines I’d like to be able to boot into an unencrypted dataset in the same zpool.
But if I ask for any dataset from that zpool to be mounted during the boot process, using fileSystems or boot.zfs.extraPools, then NixOS attempts to decrypt all its datasets, which is not what I want (not just because it’s a hassle to provide the password but also because I’d like the data to just unsnoopable).
I’ve tried setting cantmount=true and mountpoint=none, but the NixOS boot process still tries to decrypt everything. (I’ve also tried mountpoint=legacy of course.)
A kinda sloppy workaround is to set zfs.passwordTimeout to a low value.
Anyone know please whether there’s a neater workaround or an actual fix? Thank you!