I have a working system with
keylocation=prompt, but prompt has some obvious limitations. For a server, I don’t want to have to type something in or have a keyboard connected (or SSH, but while I had it enabled for systemd-boot,
nmap shows no open port 22). The config matches my laptop (prompt) where ZFS does not automount, and uses
mount -t zfs -o zfsutil which
nixos-install picks up for hardware.
I have read documentation
One thing that particularly caught my eye is an issue reply (Native encryption - request to allow raw keys on devices, (like USB flash) · Issue #6556 · openzfs/zfs · GitHub) to embed the 64 hex bytes in the sector with a newline that gets around a limitation. This worked for loading & unloading keys in the installer, but didn’t for boot without much of an error. I tried then setting up a
/00-zfs-keys directory on a new partition to put in an actual file like the Oracle docs noted. This gave me an error saying the device was missing which would clue me into the mounting order (I tried moving it to
/boot/00-zfs-keys on the off chance that would work) and I can’t mount it before root because root is ZFS and the current ZFS will be helpful and try to auto open encrypted partitions. However, all of the
keylocation=file:// options do not seem to work for me.
Is there a way better way to get a key from a USB? Also, why isn’t the SSH daemon running when this mounts as an alternative for
NOTE: I did not follow the OpenZFS guide for NixOS on root, because it involed grub2 which I’ve not used in years, an my laptop has been fine with the prompt option + systemd-boot already. I would assume grub2 wouldn’t help me here but maybe? I will be heading to bed after banging me head against this issue all day.