zfs: backup unencrypted datasets into encrypted datasets

From: LuísHenriques <henrix_at_camandro.org>
Date: Wed, 20 Oct 2021 10:51:18 UTC
Hi!

I'm sending this question to this mailing-list after not getting any
feedback on the freebsd forums.  Hopefully I'll have more lucky here.

This is probably a trivial question, but I'm failing to figure it out
myself after reading a lot of documentation.

I've my laptop running an up-to-date 13.0-RELEASE, with zfs on top of
geli. So, datasets are *not* encrypted, but encryption is done on the
lower level.

I've a single snapshot in my home dataset:

# zfs list -t snapshot zroot/usr/home
NAME                              USED  AVAIL     REFER  MOUNTPOINT
zroot/usr/home@2021-10-19_13h50  2.87M      -     13.3G

which I'd like to backup into my external USB drive, which is zfs as well,
but not using geli (as I'd like to share it with other non-freebsd
computer). Thus, I've create the following in my external drive:

# zfs create -o encryption=on -o keyformat=passphrase backups/root
# zfs create -o encryption=on backups/root/orpheus-home

When I try to send my snapshot, here's what I see:

# zfs send -v -R zroot/usr/home@2021-10-19_13h50 | zfs recv -x encryption backups/root/orpheus-home
full send of zroot/usr/home@2021-10-19_13h50 estimated size is XXXG
total estimated size is XXXG
cannot receive new filesystem stream: destination 'backups/root/orpheus-home' exists
must specify -F to overwrite it
warning: cannot send 'zroot/usr/home@2021-10-19_13h50': signal received

Ok, let me try to use the suggested option:

# zfs send -v -R zroot/usr/home@2021-10-19_13h50 | zfs recv -F -x encryption backups/root/orpheus-home
full send of zroot/usr/home@2021-10-19_13h50 estimated size is XXXG
total estimated size is XXXG
cannot receive new filesystem stream: zfs receive -F cannot be used to destroy an encrypted filesystem or overwrite an unencrypted one with an encrypted one
warning: cannot send 'zroot/usr/home@2021-10-19_13h50': signal received

I've tried to use "-o keyformat=raw -o keylocation=file://..." instead of
"-x encryption" on the received size (after changing the key format, of
course), but the result is exactly the same. And I'm puzzled, with no idea
where to go from here. Is this a limitation of zfs, or is this zfs just
telling me I'm doing something really stupid?

Thanks for any hint that would help me sorting this out.

Cheers,
--
Luís