WARNING, the below is unsupported, keep a fire extinguisher on standby.
It is possible to send/receive with the -x encryption property to receive into an encrypted parent w/ inherited encryption. then rename it into place with the docker service stopped. (don’t use passphrase as since it’s hidden from the webui it can’t be unlocked and being inaccessible at boot would cause the docker service to fail to start).
afaik this causes no problems with the exception of newly created ix-volume datasets are still created unencrypted (my main system has been running like this for some time, I did this with the understanding that I can self-support if I need to though, I also ran with a similarly encrypted ix-applications k3s dataset too, with no real issues).
the forced unencrypted is mainly due to legacy reasons ie the migration from k3s to docker where the datasets were forced unencrypted to avoid “edge cases”. however most edge cases with ZFS native encryption are due to the fact that you can’t encrypt/decrypt an existing dataset and importantly for ix, you also can’t encrypt/decrypt clones of existing datasets which are how they handle migrations.
Also vote on this feature request so we can have it officially, it’s silly this is still a limitation.