Encrypted ZFS dataset fails to mount with "Permission denied" (even as root) #18375
Description
Hi *,
I have two servers with zfs encryption on where I incrementally mirror datasets
using zfs send --raw. Both system have been migrated from a TrueNAS SCALE to Freebsd 15.
Today I noticed that a dataset was not mounted, trying to mount it manually
does not work; the strange thing is, that trying to mount it as root also yields a permission denied error.
System information
| Type | Version/Name |
|---|---|
| Distribution Name | FreeBSD 15/NixOS ISO LTS Kernel |
| Distribution Version | FreeBSD 15/NixOS 25.11.8023.4590696c8693 |
| Kernel Version | 15.0-RELEASE-p5 FreeBSD/Linux nixos 6.12.77 |
| Architecture | x86_64 |
| OpenZFS Version | zfs-2.4.0-rc4/zfs-2.3.6-1 |
Summary/Explanation
On System B (broken dataset), one encrypted dataset (tank/backups) refuses to mount. The
key is loaded (keystatus=available), but zfs mount fails with Permission
denied, even when executed as root. The same dataset mounts normally on
System A (works). The issue persists even when booting from a NixOS live ISO,
suggesting the problem is not OS‑specific.
Working system
System A (working):
# zfs --version; uname -a
zfs-2.4.0-1-FreeBSD_g743334913
zfs-kmod-2.4.0-1-FreeBSD_g743334913
FreeBSD rei 15.0-STABLE FreeBSD 15.0-STABLE stable/15-n281755-7b718d24968f GENERIC amd64
# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
# zfs get keystatus,keyformat,encryption,encryptionroot,mountpoint tank/backups
NAME PROPERTY VALUE SOURCE
tank/backups keystatus available -
tank/backups keyformat hex -
tank/backups encryption aes-256-gcm -
tank/backups encryptionroot tank -
tank/backups mountpoint /tank/backups default
# mount | grep 'tank/backups'
tank/backups on /tank/backups (zfs, local, noatime, nfsv4acls)
System with broken dataset
System B (broken):
# zfs --version; uname -a
zfs-2.4.0-rc4-FreeBSD_g099f69ff5
zfs-kmod-2.4.0-rc4-FreeBSD_g099f69ff5
FreeBSD white-rose 15.0-RELEASE-p5 FreeBSD 15.0-RELEASE-p5 releng/15.0-n281018-0730d5233286 GENERIC amd64
# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
# zfs get keystatus,keyformat,encryption,encryptionroot,mountpoint tank/backups
NAME PROPERTY VALUE SOURCE
tank/backups keystatus available -
tank/backups keyformat hex -
tank/backups encryption aes-256-gcm -
tank/backups encryptionroot tank -
tank/backups mountpoint /tank/backups default
# mount | grep 'tank/backups'
# zfs mount tank/backups
cannot mount 'tank/backups': Permission denied
NixOS live ISO:
[root@nixos:/home/nixos]# uname -a
Linux nixos 6.12.77 #1-NixOS SMP PREEMPT_DYNAMIC Fri Mar 13 16:20:49 UTC 2026 x86_64 GNU/Linux
[root@nixos:/home/nixos]# zfs --version
zfs-2.3.6-1
zfs-kmod-2.3.6-1
[root@nixos:/home/nixos]# zfs mount -a
cannot mount 'tank/backups': Permission denied
Additional Notes
- Resetting to earlier snapshots or cloning the affected dataset does not resolve the issue.
- Both pools scrub cleanly with no reported errors.
- Other encrypted datasets on the same pool mount normally.
- dmesg yields no error
- Possibly related to Replicating encrypted child dataset + change-key + incremental receive overwrites master key of replica, causes permission denied on remount #12614 ?