This is not an easily solved problem; any sort of storage on the system which would hold the key is going to be accessible to anyone who gets access to the machine.
In other arenas (LUKS), it is possible to use a TPM to provide a decryption key in a way which cannot be extracted, thus if the storage device is separated from the computer containing that TPM it will be difficult to decrypt the data. This does not address all possible threat models, but it addresses some of them. A quick search found this page, but there are probably others: OpenZFS encryption and the TPM :: HowettNET
I’ve seen talk about things like USB sticks on extensions and even raspberry pis serving up a secret from a closet or false ceiling. As long as you have a full environment with tools like curl you can get pretty creative.
I have the same concern. I personally use encrypted root on all of my devices which I then manually unlock on reboot over SSH. You can implement this both with LUKS and “traditional” partitions or with OpenZFS and ZFSBootMenu. In the first case you can keep ZFS key on your LUKS encrypted root.
It’s not the most convenient, but I don’t reboot my machines often enough to think about automating this further.
Sorry, I am a little late to this discussion, but I want to share my thoughts on this.
I dont think that it is necessary to protect and encrypt the root filesystem. The root filesystem typically does not contain any user owned data but just files which are installed by the system. There is nothing to hide from a thief. More relevant is your personal data which is hopefully not on the root filesystem.
I only protect my personal data with encryption. That is /home and /data. These are separate datasets. I store the encrpytion key on a network drive. During boot I copy it from the network drive to a volatile directory, like /tmp, and mount the datasets after that.
With that approach, a thief must have access to the network drive to mount my personal data, but that is unlikely in my case.