I employ the USB encryption key method, my keys are encrypted on the usb device so they cannot be read in plaintext. This is a cruical step should your usb device fall into the wrong hands. I have a post-init script that reads a specific USB UUID, decrypts the password using a key stored on the host, then unlocks the datasets. If the usb device is not present, datasets are not unlocked.
How to set up encryption to be physically theft-proof? - TrueNAS General - TrueNAS Community Forums