Changing an Encrypted ZFS File System's Keys
You can change an encrypted file system's wrapping key by using the zfs key -c command. The existing wrapping key must have been loaded first, either at boot time or by explicitly loading the file system key (zfs key -l) or by mounting the file system (zfs mount filesystem). For example:
$ zfs key -c tank/home/megr Enter new passphrase for 'tank/home/megr': xxxxxxxx Enter again: xxxxxxxx
In the following example, the wrapping key is changed and the keysource property value is changed to specify that the wrapping key comes from a file.
$ zfs key -c -o keysource=raw,file:///media/stick/key tank/home/megr
The data encryption key for an encrypted file system can be changed by using the zfs key -K command, but the new encryption key is only used for newly written data. This feature can be used to provide compliance with NIST 800-57 guidelines on a data encryption key's time limit. For example:
$ zfs key -K tank/home/megr
In the above example, the data encryption key is not visible nor is it directly managed by you. In addition, you need the keychange delegation to perform a key change operation.
The following encryption algorithms are available:
-
aes-128-ccm,aes-192-ccm,aes-256-ccm -
aes-128-gcm,aes-192-gcm,aes-256-gcm
The ZFS keysource property identifies the format and location of the key that wraps the file system's data encryption keys. For example:
$ zfs get keysource tank/home/megr
NAME PROPERTY VALUE SOURCE
tank/home/megr keysource passphrase,prompt localThe ZFS rekeydate property identifies the date of the last zfs key -K operation. For example:
$ zfs get rekeydate tank/home/megr
NAME PROPERTY VALUE SOURCE
tank/home/megr rekeydate Wed Jul 25 16:54 2012 localIf an encrypted file system's creation and rekeydate properties have the same value, the file system has never been rekeyed by an zfs key -K operation.