I have set up an os with an encrypted zfs root. It asks me for a password when booting. Now I want to add a script to unlock the system. I have done it like this, note that for demonstration purpose, I set a password directly in the script:
sudo tee /etc/initramfs-tools/scripts/init-premount/unlock << 'EOF'
#!/bin/sh
PREREQ=""
prereqs() { echo "$PREREQ"; }
case "$1" in prereqs) prereqs && exit 0 ;; esac
. /scripts/functions
echo "unlock script" > /dev/console
modprobe zfs
zpool import -N rpool
key='my_password' # demo
echo $key | zfs load-key rpool
exit 0
EOF
sudo chmod +x /etc/initramfs-tools/scripts/init-premount/unlock
sudo update-initramfs -u -k all
Now this almost works, BUT when it boots, it fails and says No pool imported. Manually import the root pool. I am dropped back to the initramfs prompt. But I can just exit and then it resumes and boots. Everything seemed to be in order. I figured out that the message comes from initramfs/scripts/zfs in my /boot/initrd.img.
I looked at the script a bit. I have set zpool set bootfs=rpool/ROOT/os rpool because I have GRUB_CMDLINE_LINUX="root=ZFS=rpool/ROOT/os in /etc/default/grub. Still, the script seems to think that it still needs to import a pool and cannot find the already imported and decrypted pool.
I want to understand how I can fix this so I can experiment with other unlock methods such as ssh and tpm. My first step is to set it up with a usb key.
I also found mentions of zfs/initramfs-tools-load-key.d in https://github.com/openzfs/zfs/issues/13757 but I need help from someone with more expertise to understand the correct approach.
