Send-Receiving an unencrypted ZFS to encrypted one can be a challenge

That's it.
I've had and unencrypted ZFS which I wanted to move to a new server.
I've preferred it to be encrypted on the new server.

I've had a few hiccups until I got it done, so I'm logging my experience.
Also for mine own further reference.

# zfs create -o encryption=on -o keyformat=passphrase -o keylocation=file:///path/to/zfs-key -o overlay=on rpool/lxc/prime

# zfs send --verbose --replicate --raw bkp_prime/bkp/prime/lxc@bkp-nightly-2022-01-21-0015 \
| \
zfs receive -Fuv -x mountpoint -x canmount -x overlay rpool/lxc/prime

cannot receive new filesystem stream: zfs receive -F cannot be used to destroy an encrypted filesystem or overwrite an unencrypted one with an encrypted one

# zfs send --verbose --replicate --raw bkp_prime/bkp/prime/lxc@bkp-nightly-2022-01-21-0015 \
| \
zfs receive -uv -x mountpoint -x canmount -x overlay -x encryption rpool/lxc/prime

cannot receive new filesystem stream: destination 'rpool/lxc/prime' exists

# zfs send --verbose --replicate --raw bkp_prime/bkp/prime/lxc@bkp-nightly-2022-01-21-0015 \
| \
zfs receive -Fuv -x mountpoint -x canmount -o encryption=on -o keyformat=passphrase -o keylocation=file:///path/to/zfs-key -o overlay=on rpool/lxc/prime

cannot receive new filesystem stream: zfs receive -F cannot be used to destroy an encrypted filesystem or overwrite an unencrypted one with an encrypted one

# zfs destroy -r rpool/lxc/prime

# zfs send --verbose --replicate --raw bkp_prime/bkp/prime/lxc@bkp-nightly-2022-01-21-0015 \
| \
zfs receive -Fuv -x mountpoint -x canmount -o encryption=on -o keyformat=passphrase -o keylocation=file:///path/to/zfs-key -o overlay=on rpool/lxc/prime

cannot receive new filesystem stream: incompatible embedded data stream feature with encrypted receive.

# zfs send --verbose --replicate -Lc bkp_prime/bkp/prime/lxc@bkp-nightly-2022-01-21-0015 \
| \
zfs receive -Fuv -x mountpoint -x canmount -o encryption=on -o keyformat=passphrase -o keylocation=file:///path/to/zfs-key -o overlay=on rpool/lxc/prime

cannot receive incremental stream: encryption property 'encryption' cannot be set for incremental streams.

### This time it almost worked as it received the first snapshot and created an FS :-)

# git clone https://github.com/rlaager/zfs-replicate.git

### Then I've recreated the encrypted ZFS and have tried

# ./zfs-replicate -n -r -v -u bkp_prime/bkp/prime/lxc rpool/lxc/prime
Checking for zfs send -c on destination: supported.
Checking for zfs send -e on destination: supported.
Checking for zfs send -L on destination: supported.
Checking for zfs send -t on destination: supported.
Comparing bkp_prime/bkp/prime/lxc -> rpool/lxc/prime
zfs destroy -r -n -v rpool/lxc/prime
would destroy rpool/lxc/prime

[...]

### Strangely it wanted to destroy the new encrypted ZFS
### I gave it a try anyway, this time without the dry-run option,
### and it destroyed it indeed, recreated it and started transferring.
### The newly created ZFS was not encrypted though.
### So I've checked its Python3 source and have tried to change "zfs destroy" to "zfs destroy -n"
### Apparently it started to face the same issues as my previous attempts.
### Not sure if I've missed something but at this point I did not want to continue to play with this script.
###
### The solution was to receive in a child of the encryptionroot(which I've created once again):

# zfs send --verbose --replicate -Lc bkp_prime/bkp/prime/lxc@bkp-nightly-2022-01-20-0015 \
| \
zfs receive -Fuv -x mountpoint -x canmount -x encryption -x keyformat -x keylocation -x overlay rpool/lxc/prime/tmp

# zfs rename rpool/lxc/prime rpool/lxc/prime-enc
# zfs change-key -o keylocation=file:///path/to/zfs-key -o keyformat=passphrase rpool/lxc/prime-enc/tmp
# zfs rename rpool/lxc/prime-enc/tmp rpool/lxc/prime
# zfs destroy rpool/lxc/prime rpool/lxc/prime-enc

References:

• https://zfsonlinux.topicbox.com/groups/zfs-discuss/Tc9acf1bc1513ea21/migration-from-unencrypted-to-encrypted-data-set