How can I unlock native encrypted ZFS rpool by USB drive?


New Member
Oct 17, 2023
I am quite new to Proxmox VE on ZFS. And for my use cases I need an encrypted dataset (rpool/data). Based on what I have read so far, it should not be a big deal to generate an encryption key, create encrypted dataset and store the key inside rpool/ROOT. I would do it like that:

# Create a new encryption key
dd if=/dev/urandom bs=32 count=1 of=/.data.key

# Set the approprieate permission
chmod 400 /.data.key

# Make the key immutable
chattr +i /.data.key

# Create a new dataset with encryption enabled
zfs create -o encryption=on -o keylocation=file:///.data.key -o keyformat=raw rpool/data

Next step: setup systemd service for automatic unlocking inside of /etc/systemd/system/zfs-load-key.service

Description=Load encryption keys

ExecStart=/usr/sbin/zfs load-key -a


I think so far that should be fine? ->> BUT: How to protect the key in rpool/ROOT? Encrypting might be an option, but I did not find a way of "easily" unlocking it. The posts I found so far describe the method by enter a passphrase on bootup or using ssh Dropbear for remote unlocking. But that does not fit in our requirements, because the server will be located in a company with non-techies. And so I need an easy way to unlock after a power outage, reboot, ... So my idea is to create an USB drive that contains the key to unlock. In case of booting up the people onsite should easily just put in the USB drive and that's it. The question is HOW TO tell the system, that the required key (file or passphrase) is on USB drive and HOW TO create these USB drive?

I thought maybe it could be an option not encrypting rpool/ROOT and just pointing rpool/data keylocations direct to the USB drive? Something like that:
zfs create -o encryption=on -o keylocation=/dev/sdXy -o keyformat=raw rpool/data

But I didn't get it work... :( Maybe I use the wrong mount or path to USB?
I would be very grateful if anybody could help me with that! I am a little bit desperate. o_O
Last edited:


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!