--- /usr/lib/initcpio/hooks/zfs	2019-06-16 08:51:23.000000000 +1000
+++ /usr/lib/initcpio/hooks/zfs-pivy	2019-08-17 15:03:51.646679893 +1000
@@ -43,6 +43,15 @@
     # export encription root to be used by other hooks (SSH)
     echo "${encryptionroot}" > /.encryptionroot
 
+    # if the dataset has an ebox, use pivy-zfs to unlock it
+    if [ "$(zfs get -H -o source rfd77:ebox "${dataset}")" == "local" ]; then
+        # loop until pivy-zfs unlock succeeds
+        while [ "$(zfs get -H -o value keystatus "${encryptionroot}")" != "available" ] &&
+          ! eval pivy-zfs unlock "${encryptionroot}"; do
+            sleep 2
+        done
+    fi
+
     # loop until we get the correct password or key is unlocked by another vector (SSH for instance)
     while [ "$(zfs get -H -o value keystatus "${encryptionroot}")" != "available" ] &&
       ! eval zfs load-key "${encryptionroot}"; do
@@ -55,6 +64,7 @@
 }
 
 zfs_mount_handler () {
+    msg ":: importing and mounting root pool"
     if [ "${ZFS_DATASET}" = "bootfs" ] ; then
         if ! zfs_get_bootfs ; then
             # Lets import everything and try again
@@ -125,6 +135,28 @@
     # Wait 15 seconds for ZFS devices to show up
     [ "${zfs_wait}" = "" ] && ZFS_WAIT="15" || ZFS_WAIT="${zfs_wait}"
 
+    # Start pcscd, in case we want it for pivy-zfs
+    msg ":: starting pcscd"
+    pcscd --force-reader-polling --foreground &
+    while [[ ! -f /run/pcscd/pcscd.pid ]]; do
+        sleep 0.2
+    done
+    pcscd_pid=$(cat /run/pcscd/pcscd.pid)
+    kill_pcscd() {
+        if [[ -n "$pcscd_pid" ]]; then
+            kill $pcscd_pid
+        fi
+        pcscd_pid=
+    }
+    trap kill_pcscd EXIT
+    msg ":: waiting for smartcard devices..."
+    sleep 5 
+    udevadm trigger &
+    sleep 1
+    pcscd --hotplug
+    pivy-tool list >/dev/null 2>/dev/null &
+    sleep 2
+
     case ${root} in
         # root=zfs
         "zfs")
@@ -178,12 +210,17 @@
         sleep 1
     done
     kill $pid > /dev/null 2>&1
+    kill_pcscd
 }
 
 run_latehook () {
     set_flags
     # only run zpool import, if flags were set (cache file found / zfs_import_dir specified)
     [ ! "${ZPOOL_IMPORT_FLAGS}" = "" ] && zpool import ${ZPOOL_IMPORT_FLAGS} -N -a ${ZPOOL_FORCE}
+    # loop through all imported pools and if they have encryption at the root, unlock them now
+    for x in $(zpool list -Ho name); do
+        zfs_decrypt_fs "$x"
+    done
 }
 
 # vim:set ts=4 sw=4 ft=sh et: