It may be helpful to know that the former r/zfs community has migrated to a Discourse server at practicalzfs.com. Might be worth asking there for some expert advice.
I tried posting there, but the mods haven’t been there in a couple of days to approve my post. I tried posting on reddit but since reddit is a garbage website that noone should ever visit, I was immediately shadowbanned and noone has seen my posts.
Thanks for your post.
I’m glad you asked, its always good to learn new things! The idea behind having a drive that automatically decrypts on boot is so you have data protection at rest when the server is off but still are able to have the server start up and run the tasks it needs to do without having to input a password before the machine starts up. Encryption keys are stored in the TPM which is usually stored on the CPU and the data should still be protected by the login prompt unless there is some type of bug that bypasses the login prompt.
So imagine a scenario where the power goes out, even just for a small amount of time. The uninterruptible power supply connected to the server allows for clean unmounting of the filesystems and then shuts the server off. The server then comes back on when power is detected from the grid again. If an encrypted drive doesn’t have automatic decryption and requires a passphrase before boot, the services that I’m self hosting aren’t running. I’m wanting to run home assistant and a security camera NVR so that could mean that I’m stumbling around in the dark tripping over things to get to the server to type in a passphrase, or there could be a robbery and I now have no evidence of who the culprit might be.
Having the drives automatically decrypt in a safe manner helps ensure higher availability (without me spending a small fortune in additional hardware costs because you can usually throw money at a problem to fix it), and data protection in the event of a smash and grab robbery.
The alternative to automatically decrypting drives while ensuring my services work after power failure is to not encrypt the drives at all.
Let me know if you have anymore questions. Thank you for your post.