apt-get install cryptsetup
Disk One setup:
Remove the disk from the boot pool
zpool detach rpool sda3
Format the partition ZFS was using for luks.
cryptsetup luksFormat /dev/sda3
Mount the LUKS formatted partition
cryptsetup luksOpen /dev/sda3 lukszfs1
At this point disk layout should look like this
Attach the encrypted partition to the pool
zpool attach rpool sdb3 lukszfs1
Add the lukszfs1 mount to /etc/crypttab
IMPORTANT: the initramfs option forces the luks partion to be unlocked before ZFS tries importing the pool without this option the system will not boot.
lukszfs1 /dev/sda3 none luks,discard,initramfs
Update initramfs to apply the correct mounting order.
Once ZFS is done resilvering disk layout and pool should look something like this
At this point it is theoretically possible to reboot successfully. However there is still an un-encrypted disk in the rpool.
Before encrypting the next disk, add support to grub to boot with an encrypted /boot partition. To do so add the following line to /etc/default/grub
Update and re-install grub:
Detach the unencrypted disk from the rpool
zpool detach rpool sdb3
Format, mount and re-add the disk to rpool as done with the first disk.
cryptsetup luksFormat /dev/sdb3
cryptsetup luksOpen /dev/sdb3 lukszfs2
zpool attach rpool lukszfs1 lukszfs2
Add the second disk to /etc/crypttab
lukszfs2 /dev/sdb3 none luks,discard,initramfs