Bug #13697


zfs change-key does not follow clones, data loss ensues

Added by Alex Wilson about 3 years ago. Updated about 3 years ago.

Start date:
Due date:
% Done:


Estimated time:
Gerrit CR:
External Bug:


Currently zfs change-key does not properly cross clone boundaries:

root@omniosce:~# zfs create -o encryption=aes-256-gcm -o keyformat=passphrase rpool/enctest
Enter passphrase:
Re-enter passphrase:
root@omniosce:~# zfs create rpool/enctest/empty
root@omniosce:~# zfs snapshot rpool/enctest/empty@final
root@omniosce:~# zfs clone rpool/enctest/empty@final rpool/foobar
root@omniosce:~# zfs create rpool/foobar/baz
root@omniosce:~# echo hi > /rpool/foobar/baz/test.txt
root@omniosce:~# zfs umount rpool/foobar/baz
root@omniosce:~# zfs umount rpool/foobar    
root@omniosce:~# zfs change-key rpool/enctest
Enter new passphrase for 'rpool/enctest':
Re-enter new passphrase for 'rpool/enctest':
root@omniosce:~# zfs mount rpool/foobar
root@omniosce:~# zfs mount rpool/foobar/baz
cannot mount 'rpool/foobar/baz': Permission denied

This EACCES is being triggered by the MAC on the wrapped key failing because we never updated it. Once we get here, the rpool/foobar/baz dataset and all data on it is irretrievable.

Bug was fixed in 2019 in OpenZFS/ZoL:

Commit on their side was

My quick-and-dirty cherry-pick: (haven't checked the tests yet)

Actions #1

Updated by Jason King about 3 years ago

Just to copy over the ZFS commit info:

Fix clone handling with encryption roots

    Currently, spa_keystore_change_key_sync_impl() does not recurse
    into clones when updating encryption roots for either a call to
    'zfs promote' or 'zfs change-key'. This can cause children of
    these clones to end up in a state where they point to the wrong
    dataset as the encryption root. It can also trigger ASSERTs in
    some cases where the code checks reference counts on wrapping
    keys. This patch fixes this issue by ensuring that this function
    properly recurses into clones during processing.

    Reviewed-by: Brian Behlendorf <>
    Reviewed-by: Alek Pinchuk <>
    Signed-off-by: Tom Caputi <>
    Closes #9267
    Closes #9294 
Actions #2

Updated by Jason King about 3 years ago

The ZFS test suite passes -- no new failures, only the expected failures (with existing tickets).

Actions #3

Updated by Electric Monk about 3 years ago

  • Gerrit CR set to 1405
Actions #4

Updated by Electric Monk about 3 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit 11326df80789c71d3ac24d5ff3da2c1c0617961a

commit  11326df80789c71d3ac24d5ff3da2c1c0617961a
Author: Tom Caputi <>
Date:   2021-04-07T19:01:09.000Z

    13697 zfs change-key does not follow clones, data loss ensues
    Reviewed by: Brian Behlendorf <>
    Reviewed by: Alek Pinchuk <>
    Reviewed by: Andy Fiddaman <>
    Reviewed by: Vitaliy Gusev <>
    Portions contributed by: Alex Wilson <>
    Portions contributed by: Jason King <>
    Approved by: Dan McDonald <>


Also available in: Atom PDF