https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=296130
Bug ID: 296130
Summary: rc.d/zfskeys blocks boot on keylocation=prompt
datasets
Product: Documentation
Version: Latest
Hardware: amd64
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: Website
Assignee: [email protected]
Reporter: [email protected]
After upgrading from FreeBSD 14.4-RELEASE to 15.1-RELEASE, my system hung at
boot waiting for a passphrase. The cause was the rc.d/zfskeys script now
prompting interactively for every dataset with keylocation=prompt. On 14.x
these datasets were silently skipped.
In my case the affected datasets are encrypted ZFS backups received via raw
send (`zfs send -w`). Raw-received datasets always have keylocation=prompt by
default (ZFS cannot preserve the source key path). The backup pool was in
zpool.cache, so zfskeys iterated over it at boot and blocked on each
encryption root. This likely affects anyone using zero-knowledge encrypted
backup workflows (zfs-autobackup, syncoid, manual raw sends).
Rresumably caused by commit 408087f128fe745dbfb2b8423f0afd9e0ce2d11a (D36081),
which added an explicit `keylocation=prompt` branch that reads from /dev/tty
unconditionally.
Previously these datasets fell through to the key-file check, which failed
harmlessly and skipped them.
This behavioral change is not mentioned in the errata for 15.0-RELEASE or
15.1-RELEASE. At a minimum it should be added as an errata entry for both
releases so administrators upgrading from 14.x are warned before rebooting.
Affected versions: 15.0-RELEASE, 15.1-RELEASE (14.x not affected).
Workaround: `zpool set cachefile=none <backuppool>` so the pool is not
auto-imported at boot, or `zpool export <backuppool>` to remove it from the
system entirely until needed.
Related: Phabricator D36081, commit 408087f128fe745dbfb2b8423f0afd9e0ce2d11a.
--
You are receiving this mail because:
You are the assignee for the bug.
