Delegating ZFS Key Operation Permissions

Review the following permission descriptions for delegating key operations:

• Loading or unloading a file system key by using the zfs key -l and zfs key -u commands require the key permission. In most cases, you will need the mount permission as well.

• Changing a file system key by using the zfs key -c and zfs key -K commands require the keychange permission.

Consider delegating separate permissions for key use (load or unload) and key change, which allows you to have a two-person key operation model. For example, determine which users can use the keys verses which users can change them. Or, both users need to be present for a key change. This model also allows you to build a key escrow system.