Passing Password to zfs mount command

If datasets have the same password, yet you need to enter it multiple times, this should mean that said datasets use different encryption roots/key locations; the output of zfs get encryptionroot,keylocation <pool>/<dataset1> <pool>/<dataset2> [...] should confirm this. You can use zfs change-key (see man zfs-change-key) to unify this.

To have the password entered automatically at boot time, you could use Network-Bound Disk Encryption (NBDE). Ubuntu provides packages for both Clevis and Tang, but you'd need to provide your own auxiliary script (e.g., in /usr/share/initramfs-tools/scripts/local-premount/) in order to ensure that the required keys are loaded. (Of course, Clevis–a pluggable framework for automated decryption–can work without Tang as well.)

For automated entry of password encrypted datasets, it can be automated using /etc/rc.local by adding the following template script:

_ZKY_=$(echo <base64_enc_pass> | base64 --decode)
echo $_ZKY_ | zfs mount -l <ds_1>
echo $_ZKY_ | zfs mount -l <ds_2>
...

Where:

• base64_enc_pass: Your password encrypted base64. You can enter the plaintext password if that is your poison.
• ds_n: Dataset name(s) to decrypt and mount

Note: to enable rc.local on systemd enabled systems, here are some instructions.

Alternatively, if you want to do this on demand, use this python script to streamline the entry of password just once:

Source for zmount.py:

import getpass
import sys
from subprocess import Popen, PIPE, STDOUT
_p=getpass.getpass('ZFS Dataset Password:')
for _ds in sys.argv[1:]:
    p = Popen(['zfs', 'mount', '-l', _ds], stdout=PIPE, stdin=PIPE, stderr=PIPE)
    _ = p.communicate(input=_p.encode())[0]

To use zmount.py:

% python3 zmount.py <ds_1> <ds_2>[ ...]