Changing an Encrypted ZFS File System's Keys
You can change an encrypted file system's wrapping key by using the zfs key -c
command. The existing wrapping key must have been loaded first, either at boot time or by explicitly loading the file system key (zfs key -l
) or by mounting the file system (zfs mount
filesystem). For example:
$ zfs key -c tank/home/megr Enter new passphrase for 'tank/home/megr': xxxxxxxx Enter again: xxxxxxxx
In the following example, the wrapping key is changed and the keysource
property value is changed to specify that the wrapping key comes from a file.
$ zfs key -c -o keysource=raw,file:///media/stick/key tank/home/megr
The data encryption key for an encrypted file system can be changed by using the zfs key -K
command, but the new encryption key is only used for newly written data. This feature can be used to provide compliance with NIST 800-57 guidelines on a data encryption key's time limit. For example:
$ zfs key -K tank/home/megr
In the above example, the data encryption key is not visible nor is it directly managed by you. In addition, you need the keychange
delegation to perform a key change operation.
The following encryption algorithms are available:
-
aes-128-ccm
,aes-192-ccm
,aes-256-ccm
-
aes-128-gcm
,aes-192-gcm
,aes-256-gcm
The ZFS keysource
property identifies the format and location of the key that wraps the file system's data encryption keys. For example:
$ zfs get keysource tank/home/megr
NAME PROPERTY VALUE SOURCE
tank/home/megr keysource passphrase,prompt local
The ZFS rekeydate
property identifies the date of the last zfs key -K
operation. For example:
$ zfs get rekeydate tank/home/megr
NAME PROPERTY VALUE SOURCE
tank/home/megr rekeydate Wed Jul 25 16:54 2012 local
If an encrypted file system's creation
and rekeydate
properties have the same value, the file system has never been rekeyed by an zfs key -K
operation.