I have used a USB flash drive to auto-unlock a / partition encrypted with LUKS on NixOS before. I am wondering how to do this when using encrypted zfs datasets instead of LUKS. Also, how to auto-unlock a zfs dataset that is not part of NixOS itself using a USB flash drive with the password on it?
I did not test this for unlocking a ZFS containing NixOS itself, but the following works to unlock a different ZFS dataset and mounting it automatically:
The example dataset
I have a zfs pool called zfs-user-files and a dataset called zfs-user-files/encrypted. I did not use the default dataset cuz I found that very annoying/impossible to rename.
Set a mount point on the ZFS dataset
zfs get mountpoint,canmount zfs-user-files/encrypted
should look like this:
NAME PROPERTY VALUE SOURCE
zfs-user-files/encrypted mountpoint /mnt/zfs-user-files local
zfs-user-files/encrypted canmount on default
Set the key location for the pool
zfs get keylocation zfs-user-files
should look like:
NAME PROPERTY VALUE SOURCE
zfs-user-files keylocation file:///mnt/keys/zfs_password.txt local
Mount the key on NixOS on boot
In my case I made a ext4 partition which contains the file zfs_password.txt, which contains the password.
fileSystems."/mnt/keys" = {
device = "/dev/disk/by-uuid/77dfe26e-1c9f-47d8-9bde-1f7e692b9460";
fsType = "ext4";
options = [ "nofail" ];
};
Auto-import the ZFS pool
See ZFS - NixOS Wiki
boot.zfs.extraPools = [ "zfs-user-files" ];
Rebuild and reboot to see if it works
For me after rebooting I ran df -h and as expected:
zfs-user-files/encrypted 15G 20M 15G 1% /mnt/zfs-user-files
Cuz since the pool is imported, the mountpoint is set, and the key can be automatically loaded, NixOS auto mounts the dataset.