I put these questions to Tom Caputi, who wrote the ZFS encryption. The quoted text below is what I asked him, and the unquoted text is his response:
> 1. Does ZFS rewrite the wrapped/encrypted master key in place? If
> not, the old master key could be retrieved off disk, decrypted
> with the known passphrase, and used to decrypt at least
> _existing_ data.
1) No. This is definitely an attack vector (although a very minor
one). At the time we had said that we would revisit the idea of
overwriting old keys when TRIM was added. That was several years ago
and TRIM is now in. I will talk to Brian about it after I am back
from the holiday.
> 2. Does a "zfs change-key" create a new master key? If not, the old
> master key could be used to decrypt _new_ data as well, at least
> until the master key is rotated.
2) zfs change-key does not create a new master key. It simply re-wraps
the existing master key. The master keys are never rotated. The key
rotation is done by using the master keys to generate new keys.
I put these questions to Tom Caputi, who wrote the ZFS encryption. The quoted text below is what I asked him, and the unquoted text is his response:
> 1. Does ZFS rewrite the wrapped/encrypted master key in place? If
> not, the old master key could be retrieved off disk, decrypted
> with the known passphrase, and used to decrypt at least
> _existing_ data.
1) No. This is definitely an attack vector (although a very minor
one). At the time we had said that we would revisit the idea of
overwriting old keys when TRIM was added. That was several years ago
and TRIM is now in. I will talk to Brian about it after I am back
from the holiday.
> 2. Does a "zfs change-key" create a new master key? If not, the old
> master key could be used to decrypt _new_ data as well, at least
> until the master key is rotated.
2) zfs change-key does not create a new master key. It simply re-wraps
the existing master key. The master keys are never rotated. The key
rotation is done by using the master keys to generate new keys.