How to Replace a ZFS Cluster File System Encryption Key

Use the zfs key -c command to replace an encrypted file system's wrapping key.

For more information about ZFS encryption, see Encrypting ZFS File Systems in Managing ZFS File Systems in Oracle Solaris 11.4.

1. Obtain the list of encryption keys.

   phys-schost# cldevicegroup key-list -v

   The following example shows the existing encryption keys:

   phys-schost# cldevicegroup key-list -v
   Keyname         Key
   -------         ---
   DEC-2020-key    b268ae3f9beebbc12296aa4f472328b5deca0b33786eb92d25ccd4d2f465fc1c

2. Create a new encryption key by specifying a different key name.

   phys-schost# cldevicegroup key-create -k new-keyname

   The following example command creates a new encryption key called JAN-2021-key:

   phys-schost# cldevicegroup key-create -k JAN-2021-key

3. Replace the encryption key for the existing global ZFS file system with the new key.

   phys-schost# zfs key -c -o keysource=hex,cluster:new-keyname zpool

   The following example command replaces the existing encryption key of the gpool/fs1 file system with the JAN-2021-key key:

   phys-schost# zfs key -c -o keysource=hex,cluster:JAN-2021-key gpool/fs1

4. Remove the obsolete encryption key.

   phys-schost# cldevicegroup key-remove -k key-name

   The following example command removes the obsolete encryption key, DEC-2020-key:

   phys-schost# cldevicegroup key-remove -k DEC-2020-key
   WARNING: Please ensure keyname 'DEC-2020-key' is not being used in any offlined Device Group.
   Are you sure you want to remove keyname 'DEC-2020-key' (y/n) [n]? y

5. Verify that the device group uses the new encryption key.

   phys-schost# cldevicegroup key-list -v

   The following example shows the new JAN-2021-key key and not the DEC-2020-key key that you removed:

   phys-schost# cldevicegroup key-list -v
   Keyname         Key
   -–-–-–-    -–-
   JAN-2021-key    052b4ce65bbda7e2402fbcb965fde122aae0ce1d86581688e983f28aecc749de