crypt ZFS mit luks

Pre-reqs:
install cryptsetup
Code:

apt-get install cryptsetup

Disk One setup:
Remove the disk from the boot pool
Code:

zpool detach rpool sda3

Format the partition ZFS was using for luks.
Code:

cryptsetup luksFormat /dev/sda3

Mount the LUKS formatted partition
Code:

cryptsetup luksOpen /dev/sda3 lukszfs1

At this point disk layout should look like this

Attach the encrypted partition to the pool
Code:

zpool attach rpool sdb3 lukszfs1

Add the lukszfs1 mount to /etc/crypttab
IMPORTANT: the initramfs option forces the luks partion to be unlocked before ZFS tries importing the pool without this option the system will not boot.
Code:

lukszfs1 /dev/sda3 none luks,discard,initramfs

Update initramfs to apply the correct mounting order.
Code:

update-initramfs -u

Once ZFS is done resilvering disk layout and pool should look something like this

At this point it is theoretically possible to reboot successfully. However there is still an un-encrypted disk in the rpool.

Before encrypting the next disk, add support to grub to boot with an encrypted /boot partition. To do so add the following line to /etc/default/grub
Code:

GRUB_ENABLE_CRYPTODISK=y

Update and re-install grub:
Code:

update-grub
grub-install /dev/sda
grub-install /dev/sdb

Detach the unencrypted disk from the rpool
Code:

zpool detach rpool sdb3

Format, mount and re-add the disk to rpool as done with the first disk.
Code:

cryptsetup luksFormat /dev/sdb3
cryptsetup luksOpen /dev/sdb3 lukszfs2
zpool attach rpool lukszfs1 lukszfs2

Add the second disk to /etc/crypttab
Code:

lukszfs2 /dev/sdb3 none luks,discard,initramfs

Update initramfs
Code:

update-initramfs -u