Delegating ZFS Key Operation Permissions
Review the following permission descriptions for delegating key operations:
-
Loading or unloading a file system key by using the
zfs key -l
andzfs key -u
commands require thekey
permission. In most cases, you will need themount
permission as well. -
Changing a file system key by using the
zfs key -c
andzfs key -K
commands require thekeychange
permission.
Consider delegating separate permissions for key use (load or unload) and key change, which allows you to have a two-person key operation model. For example, determine which users can use the keys verses which users can change them. Or, both users need to be present for a key change. This model also allows you to build a key escrow system.