The branch main has been updated by ambrisko: URL: https://cgit.FreeBSD.org/src/commit/?id=276a3dacdb60b65d65301aced5d8443cc5d27ea2
commit 276a3dacdb60b65d65301aced5d8443cc5d27ea2 Author: Doug Ambrisko <[email protected]> AuthorDate: 2026-06-22 18:45:42 +0000 Commit: Doug Ambrisko <[email protected]> CommitDate: 2026-06-23 15:12:43 +0000 zfskeys - only prompt if zfskeys and zfskeys_prompt are enabled By default don't block booting with a prompt if a zpool needs a keyboard password to unlock it. To enable prompting for keyboard password during boot require: zfskeys_enable="YES" zfskeys_prompt_enable="YES" to both be enabled. This returns to POLA of prior behaviour. PR: 296130 Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D57750 --- libexec/rc/rc.conf | 1 + libexec/rc/rc.d/zfskeys | 16 +++++++++------- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf index 27e8c8456b6f..6e70baccac98 100644 --- a/libexec/rc/rc.conf +++ b/libexec/rc/rc.conf @@ -77,6 +77,7 @@ rc_conf_files="/etc/rc.conf /etc/rc.conf.local" # ZFS support zfs_enable="NO" # Set to YES to automatically mount ZFS file systems zfskeys_enable="NO" # Set YES to autoload ZFS encryption keys +zfskeys_prompt_enable="NO" # Set YES to prompt during booting zfs_bootonce_activate="NO" # Set YES to make successful bootonce BE permanent zpool_reguid="" # Set to zpools for which the GUID should be replaced # upon first boot. diff --git a/libexec/rc/rc.d/zfskeys b/libexec/rc/rc.d/zfskeys index aff0224d5c9d..af47f8737c13 100755 --- a/libexec/rc/rc.d/zfskeys +++ b/libexec/rc/rc.d/zfskeys @@ -20,6 +20,7 @@ required_modules="zfs" : ${zfskeys_datasets:=''} : ${zfskeys_timeout:=10} : ${zfskeys_unload_force:='NO'} +: ${zfskeys_prompt_enable:='NO'} encode_args() { @@ -45,13 +46,14 @@ unlock_fs() local kl="$2" local k="${kl##file://}" - if [ "$kl" == "prompt" ] - then - echo "Key prompt for $fs." - if zfs load-key -L "$kl" "$fs" < /dev/tty > /dev/tty 2>/dev/tty ; then - echo "Key loaded for $fs." - else - echo "Key failed to load for $fs." + if [ "$kl" == "prompt" ]; then + if checkyesno zfskeys_prompt_enable ; then + echo "Key prompt for $fs." + if zfs load-key -L "$kl" "$fs" < /dev/tty > /dev/tty 2>/dev/tty ; then + echo "Key loaded for $fs." + else + echo "Key failed to load for $fs." + fi fi elif [ "$k" ] && [ -f "$k" ] && [ -s "$k" ] && [ -r "$k" ]; then if [ "$(zfs get -Ho value keystatus "$fs")" = 'available' ]; then
