In /etc/fstab/ include a x-systemd.requires=unlock-bcachefs-vault.service mount option. This service does the unlocking before the mount is triggered. Example line as in my /etc/fstab:
UUID=bf512699-6643-4d96-a793-daaf3f1d34f1 /mnt/vault bcachefs nofail,x-systemd.requires=unlock-bcachefs-vault.service 0 0
The content of the unlock service:
# cat /etc/systemd/system/unlock-bcachefs-vault.service
[Unit]
Description=Unlock bcachefs Vault
After=-.mount
Before=mnt-vault.mount
[Service]
Type=oneshot
ExecStart=/usr/sbin/bcachefs unlock -f /path/to/key/for/vault /dev/disk/by-uuid/bf512699-6643-4d96-a793-daaf3f1d34f1
[Install]
WantedBy=multi-user.target
- I'm not sure the
Before=mnt-vault.mountis required. Probably more flexible to usex-systemd.after=unlock-bcachefs-vault.service. - This requires 'newish' versions of
bcachefs-tools. I believe newer than 1.6.0; assumingly since commit 5b21631, tested using 1.7.0.
Thanks for this! I was able to get my encrypted bcachefs filesystem unlocking and mounting at startup with it. However I don't think the
BeforeandWantedBydependencies need to be specified in the unlock service:x-systemd.requiresinfstabseems to be sufficient to run the unlock service first.My unit file was also working without
After, though I've added it now for completeness considering the keyfile/bcachefs binary lives on the root drive: I don't know enough about systemd unit dependencies to say if it works a few times without now, that it'll keep working into the future.Here's what I'm using: