Hmm, how/when/where would the ‘zfs load-key’ happen?
I only know how to use the systemd-ask-password hack to decrypt non-root datasets, but can’t get my head around how that would work with fully encrypted root dataset.
Presumably it would be like FreeBSD's GELI, where early boot stuff would need to detect that it's looking at an encrypted root and know to prompt. In theory, this is relatively straightforward- with boot environments, the zpool bootfs property indicates the root dataset, so I wouldn't think you need to look too far.
[edit: this is done in our loader, so presumably you'd use grub?]
[edit: this is done in our loader, so presumably you'd use grub?]