I do this. The datasets only unlock if:
- A specific USB (identified with UUID) is inserted into the system
- That USB contains the ‘encrypted.passphrase’ file containing the unlock passphrase.
- The decryption key file ‘my.key’ exists somewhere in the boot pool
- The decrypted passphrase matches the dataset password
If I need physical theft security, I pull the USB key. Done. When the system boots with the USB inserted, it will unlock any datasets configured in the script. It can also be run manually.
My script runs POSTINIT.
This thread should get you there. This approach can be used to unlock the parent first then any child datasets on boot.