Problem/Justification
Based off what I have read ix-apps stores docker containers (apps) on it. Right now this dataset is not allowed to be encrypted. This is an issue as this would reveal a lot of data, including what docker containers are installed but more then that it would reveal all internal data of that container if I understand correctly. While you can use host-paths to mount some data to an encrypted dataset. Some applications store sensitive data within the container. Additionally, you may want to pass some sensitive data into a container as an environment variable. Environment variables are also stored unencrypted in ix-apps.
A user could also use ix-volumes to store stuff that the docker app requires mounts for, which would then be stored unencrypted in ix-apps, but that is less of a concern as you can use host-paths instead.
I understand that Self-Encrypting drives exist and can be used however, this should be available for everyone, including people who do not use self-encrypting drives.
Impact
This is a security issue, when I enable encryption for pool and inherit it to datasets I expect all data to be encrypted. Not for a special rule to override this for ix apps. I understand there was some issues with data migration and other things, which is why this feature was disabled. However, I think making this an option and warning of those issues would be good enough.
Implementing this feature would enhance security, and if implemented behind an option with a warning would not have drawbacks the user was not warned of.
Additionally, data contained within docker containers is not intended to be persisted forever. As when a docker container is deleted, updated, or recreated that data is lost. However this data is still stored on the disk, which persists through system restarts, and can contain sensitive information, which is why it should be allowed to be encrypted.
However, I am wondering if only allowing migration though an automated process of deleting the ix-apps dataset and the creating a new one in the new location would solve the issues that caused this feature to be removed in the first place. This would break ix-volumes though.
User Story
When creating a dataset for ix-apps the user is asked if they want to allow encryption on the dataset. If check the box is checked a warning in a yellow box is displayed. This warning warns of potentially issues the user may encounter.
For more info see this ticket where the feature was also requested.
https://ixsystems.atlassian.net/browse/NAS-123318
This thread is also relevant SOLVED - How to best resolve this warning? "datasets are not encrypted but are within an encrypted dataset" [22.12.3] | TrueNAS Community