zfs: add option to save encryption credentials in kernel keyring

Shawn8901 · Dec 4, 2024 · 58b36ed · 58b36ed
1 parent be3f2a4
commit 58b36ed
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix
@@ -173,7 +173,7 @@ let
                   tries=3
                   success=false
                   while [[ $success != true ]] && [[ $tries -gt 0 ]]; do
-                    ${systemd}/bin/systemd-ask-password --timeout=${toString cfgZfs.passwordTimeout} "Enter key for $ds:" | ${cfgZfs.package}/sbin/zfs load-key "$ds" \
+                    ${systemd}/bin/systemd-ask-password ${lib.optionalString cfgZfs.storeEncryptionCredentials("--keyname=zfs-$ds")} --timeout=${toString cfgZfs.passwordTimeout} "Enter key for $ds:" | ${cfgZfs.package}/sbin/zfs load-key "$ds" \
                       && success=true \
                       || tries=$((tries - 1))
                   done
@@ -322,6 +322,8 @@ in
         '';
       };
 
+      storeEncryptionCredentials = lib.mkEnableOption "Stores the encryption credentials in kernel keyring with keyname=zfs-<poolame>";
+
       passwordTimeout = lib.mkOption {
         type = lib.types.int;
         default = 0;