In initramfs, do not prompt if keylocation is "file://"

If the encryption key is stored in a file, the initramfs should not
prompt for the password. For example, this could be the case if the boot
partition is stored on removable media that is only present at boot time

Reviewed-by: Brian Behlendorf <[email protected]>
Reviewed-by: Garrett Fields <[email protected]>
Reviewed-by: Richard Laager <[email protected]>
Reviewed-by: Kjeld Schouten <[email protected]>
Signed-off-by: Sam Lunt <[email protected]>
Closes #9764 

1 files changed, 7 insertions, 1 deletions

diff --git a/contrib/initramfs/scripts/zfs.in b/contrib/initramfs/scripts/zfs.in
index 4b04c4be4..4bbdf53a7 100644
--- a/contrib/initramfs/scripts/zfs.in
+++ b/contrib/initramfs/scripts/zfs.in
@@ -411,6 +411,7 @@ decrypt_fs()
 
 		# Determine dataset that holds key for root dataset
 		ENCRYPTIONROOT="$(get_fs_value "${fs}" encryptionroot)"
+		KEYLOCATION="$(get_fs_value "${ENCRYPTIONROOT}" keylocation)"
 
 		# If root dataset is encrypted...
 		if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
@@ -418,8 +419,13 @@ decrypt_fs()
 			# Continue only if the key needs to be loaded
 			[ "$KEYSTATUS" = "unavailable" ] || return 0
 			TRY_COUNT=3
+
+			# If key is stored in a file, do not prompt
+			if ! [ "${KEYLOCATION}" = "prompt" ]; then
+				$ZFS load-key "${ENCRYPTIONROOT}"
+
 			# Prompt with plymouth, if active
-			if [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
+			elif [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
 				while [ $TRY_COUNT -gt 0 ]; do
 					plymouth ask-for-password --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}" | \
 						$ZFS load-key "${ENCRYPTIONROOT}" && break