Skip to content

TQ: Support for ZFS Key Rotation #9587

New issue
New issue
Open
Open
TQ: Support for ZFS Key Rotation#9587
@andrewjstone

Description

@andrewjstone
andrewjstone
opened on Jan 2, 2026

In order to upgrade from LRTQ and reconfigure trust quorum configurations, we need the ability to rotate ZFS keys used for our encrypted datasets. Currently, with LRTQ, we only ever create and load datasets in Epoch 1. We need the ability to read the current epoch from the dataset properties, load keys for both old and new epoch, and call the zfs change-key API.

This will require the key-manager support for TQ as described in #9586.

ZFS functionality will need to be added to https://github.com/oxidecomputer/omicron/blob/main/illumos-utils/src/zfs.rs. We probably need an API other than ensure_dataset here, since key rotation is not an idempotent operation.

Usage of the new functionality should live in the config reconciler inside sled-agent.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions