rc.conf: Document zfskeys

Fixes:		33ff39796ffe Add zfskeys rc.d script for auto-loading encryption keys
MFC after:	3 days
Reviewed by:	allanjude
Sponsored by:	Modirum
Sponsored by:	Klara, Inc
Differential Revision:	https://reviews.freebsd.org/D34427

1 files changed, 25 insertions, 1 deletions

diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5
index 2f124dd1cf3c..248864bb5ad8 100644
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd November 30, 2021
+.Dd March 3, 2022
 .Dt RC.CONF 5
 .Os
 .Sh NAME
@@ -4641,6 +4641,30 @@ If set to
 .Dq Li YES ,
 and a boot environment marked bootonce is successfully booted,
 it will be made permanently active.
+.It Va zfskeys_enable
+.Pq Vt bool
+If set to
+.Dq Li YES ,
+enable auto-loading of encryption keys for encrypted ZFS datasets.
+For every dataset the script will first load the appropriate encryption key
+and the attempt to unlock the dataset.
+.Pp
+The script operates only on datasets which are encrypted with
+ZFS native encryption
+and have a ZFS
+.Dq Li keylocation
+dataset property beginning with
+.Dq Li file:// .
+.It Va zfskeys_datasets
+.Pq Vt str
+A whitespace-separated list of ZFS datasets to unlock.
+The list is empty by default,
+which means that the script will attempt to unlock all datasets.
+.It Va zfskeys_timeout
+.Pq Vt int
+Define the total number of seconds to wait for the zfskeys script
+to unlock an encrypted dataset.
+The default is 10.
 .El
 .Sh FILES
 .Bl -tag -width ".Pa /etc/defaults/rc.conf" -compact