applied-series: [RFC docs/storage/zfsonlinux 0/4] allow replication/migration with zfs native encryption

["Fabian Grünbichler" <f.gruenbichler@proxmox.com>]

zfsonlinux bumped, rest just pushed for now.

thanks!

On March 18, 2026 1:40 pm, Stoiko Ivanov wrote:
> OpenZFS recently got support for suppressing the encryption options while
> sending with -Rp[0]. This patchset adds the (userland only) patch to our
> zfsonlinux repository and uses the functionality to enable
> volume_export and volume_import for encrypted ZFS datasets.
> 
> My initial (quite limited) tests indicates that it works as intended
> (storage-replication/migration of containers, live and offline migration of a
> VM).
> 
> As is the functionality is quite versatile - guests can be send from encrypted
> to unencrypted storages and vice versa. The encryption state of a guest-disk/
> volume is solely defined by the storage on each node, it is not a property
> of the guest-disk, and not enforced.
> 
> The main caveat I currently see is that the patches need to be present
> on the receiving node before the first encrypted guest-disk is received:
> Without the addition of `-x encryption` for `zfs recv` the disk would
> get created/received without encryption, even if the root-dataset of the
> storage is encrypted. As storage-migration is currently broken for encrypted
> ZFS pools in any case this seems acceptable. Users would need to upgrade
> all nodes to versions with these patches before migrating/replicating
> the first guest disk on an encrypted zpool.
> 
> the second patch for pve-storage is optional - I'm not sure if always printing
> the warning helps or would raise more questions than it answers.
> 
> For the whole series:
> Suggested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> 
> [0] https://github.com/openzfs/zfs/pull/18240
> zfsonlinux:
> 
> Stoiko Ivanov (1):
>   cherry-pick patch for unencrypted send
> 
>  ...0015-Add-no-preserve-encryption-flag.patch | 306 ++++++++++++++++++
>  debian/patches/series                         |   1 +
>  2 files changed, 307 insertions(+)
>  create mode 100644 debian/patches/0015-Add-no-preserve-encryption-flag.patch
> 
> 
> pve-storage:
> 
> Stoiko Ivanov (2):
>   fix #2350: zfspool: send without preserving encryption
>   zfspool: export: skip hardcoded warning about no-preserve-encryption
>     flag
> 
>  src/PVE/Storage/ZFSPoolPlugin.pm | 19 ++++++++++++++++---
>  1 file changed, 16 insertions(+), 3 deletions(-)
> 
> 
> pve-docs:
> 
> Stoiko Ivanov (1):
>   storage: zfspool: add documention on encryption
> 
>  pve-storage-zfspool.adoc | 20 ++++++++++++++++++++
>  1 file changed, 20 insertions(+)
> 
> 
> Summary over all repositories:
>   4 files changed, 343 insertions(+), 3 deletions(-)
> 
> -- 
> Generated by murpp 0.10.0
> 
> 
> 
> 
>