Changing the encryption password. Does the old key work for old snapshots?

I replicate an encrypted ZFS data set via raw send to a NAS. The key file is available at source and destination, to mount the data set on both ends.

I want to change the key at source (either to a new key file or a password, for some child data sets or the root parent data set ). Do I have to provide the new key or password, or make any other changes, at destination?

My understanding is that the master key (the actual data encryption key), is encrypted with the user’s password/key, called wrapped master key. This wrapped master key is dereferenced by ZFS and no longer available via ZFS (even though it may not be deleted by the disk firmware for some time). This wrapped master key is stored in metadata per data set, not per snapshot. When the user’s key and therefore the wrapped master key changes, the metadata for the dataset and all its old and new snapshots are updated on both ends. So the old key will not work to decrypt any of the old or new snapshots on either side.

If the old snapshots are mounted, they remain mounted til unmounted.

Is that right?

Can I change the key at source and assume all else will be fine?

If you actually want the destination to be able to mount and read the encrypted dataset, you’ll need to provide it with your new key, to the best of my understanding.

With that said, I’m relatively lightweight on native encryption compared to the rest of OpenZFS features. This is something that ideally you should really test on toy pools (you can just build them out of sparse files); if you do so, I’d love to see your confirmed results here!

Yes, you are right. The old key will not work on old snapshots. For old and new snapshots on both sides you need the new key. I changed the key at source, and it propagated to the destination. In other words, the keyformat changes from the key file to passphrase at encryption root on both sides. It looks like there is single metadata (potentially copied over different areas in the same disk and across multiple disks), at encryption root that contains the wrapped key alongside the usual fields related to encryption that you can see via the “zfs get” command.

I have been using ZFS with native encryption for over a year. My environment is rather challenging. I have a single-disk ZFS pool on my laptop, with 15-min snapshots. I replicate existing encrypted snapshots via ZFS raw send to a remote raid1 SSD server via Syncoid, every 15 minutes. I’m sure the transmission has been interrupted many times, as I frequently switch the network or pull out the laptop from network. So far I have not encountered any issues!

I know there is a warning on using ZFS with encryption, that is related to a bug that is triggered when sending encrypted snapshots. But it has not occurred to me yet.
I have non ZFS backups in case.

It would be a pity if the issue cannot be resolved. Since I discovered ZFS, it has simplified my data backup and management. Now all I have to do when I start with a new device is to plugin my disk and mount my directories! No need to ship the data out via restic and import back from backup. I get one running file system. This allows me to reinstall the operating system on a second disk frequently, store directories that contain user data and configuration files on a ZFS dataset in the first disk, and just mount those the ZFS data sets in new systems.