ossobv
zfs send fails on encrypted datasets (support raw send)
cannot send nvme1/[email protected]: encrypted dataset nvme1/vm-7002-disk-0 may not be sent with properties without the raw flag
From the man pages: "If the -R flag is used to send encrypted datasets, then -w must also be specified." the -w (raw) flag is equivalent to adding -Lec, which is large block, embed, and compression respectively.
It's not immediately obvious to me how to go about this generally. Adding the w flag gets the data copied but the receiving system won't have the key without extra steps. Removing the R flag seems worse. Simply sending the key too is not quite right; a typical zfs encryption setup will have the VM's volumes inheriting encryption settings from the containing dataset and it'd be odd if that wasn't true for a migrated VM.
It looks like this would be possible, at least in my setup, by running zfs change-key on the source dataset to break the inheritance and setting a temporary key, doing a raw send, loading temp keys for the dataset over ssh, and then running zfs change-key -i on both to have the dataset resume inheriting keys from the parent. This would be security-equivalent to just piping the raw decrypted data over SSH, but you'd get all the ZFS snapshots and nice-to-haves intact - plus it'd send compressed.
