Migrate Truenas Core Legacy Geli Encryption pool to Truenas Scale ZFS native encryption

besen · January 4, 2026, 3:05pm

Hi,
I have a Truenas Core server with legacy geli encryption and a new server with new harddrives where I installed Truenas Scale. I also already created a pool with zfs native encryption, but dont have any data on the new system yet.

I tried for the past few hours to migrate the data to the new server but had several issues and it never worked. Could you please advice me how to do this? I tried using the GUI and the replication feature to replicate into the pool on the new truenas server. This seemed to be the reccomended way or should I use zfs send/receive manually? Was it correct to create a pool on the new truenas system or should I remove that one? Can I create that pool during the replication?

One error I received:

Destination dataset 'pool' already exists and is its own encryption root. This configuration is not supported yet. If you want to replicate into an encrypted dataset, please, encrypt its parent dataset.

Does the pool on the new server need to be unencrypted? I would prefer to have an encrypted pool.

During one of the replications I manged to create data on the new server but the dataset was unencrypted and truenas on the new server warned me that I have unencrypted data in an encrypted pool which is unsupported. Is there a step by step guide I can follow?

winnielinnie · January 4, 2026, 4:20pm

You need to manually append /mydata on the destination text field. (You have to manually type it in. Using the mouse to click on existing dataset icons will not work.)

From this: pool
To this: pool/mydata

You will also need to exclude the encryption property in the replication options. The newly created child dataset will inherit the encryption properties from “pool” on the destination side.

besen · January 4, 2026, 4:32pm

I see this also suggested here: Encrypted dataset replication | TrueNAS Community

However how would I migrate multiple datasets using this method? Do I need to migrate every dataset in my pool individually?

winnielinnie · January 4, 2026, 4:37pm

Yes.

This is why I use pseudo-roots. I don’t like treating the pool’s root dataset as anything more than a glorified keyring.

besen · January 4, 2026, 5:12pm

Thanks! Now I finally understood the issue. For reference:

I realized the UI is way more complicated and used zfs send / receive instead and created a snapshot before. This blogpost made me understand how to use -x to encrypt the volumes on the receiving side under the parent pool. I tried -F but that didnt work. Your post made me understand that that is not possible with the root dataset and I opted to create a pseudo one so its easier to migrate in the future.

This is the command I ended up with
``
zfs send -R Volume1@migration | pv -s 20T | ssh -i truenas_key.rsa root@ip “zfs receive -x encryption -x keylocation -x keyformat -F pool/pool1”
```

Topic		Replies	Views
Moving data out of a legacy encrypted pool TrueNAS General CORE , ZFS , Encryption	4	128	April 24, 2025
GELI Pool Migrations Advice & Scale TrueNAS General	8	151	November 23, 2024
Migrating an encrypted root dataset from TrueNAS 12 into SCALE TrueNAS General SCALE , ZFS	1	52	September 18, 2025
Issues with upgrading to SCALE TrueNAS General CORE , SCALE	1	121	December 2, 2024
Zfs send a replication stream from unencrypted pool to encrypted pool TrueNAS General SCALE , ZFS	7	1834	April 22, 2024

Migrate Truenas Core Legacy Geli Encryption pool to Truenas Scale ZFS native encryption

Related topics