New datasets do not get encrypted when replicating from unencrypted to encrypted dataset

I ran into the following issue on one of our replication tasks in TrueNAS:

The setup:
A VM running TrueNAS Scale is replicating a dataset from another TrueNAS Scale system (an M50). Both systems are running Dragonfish-
The dataset is unencrypted on the source and goes into an encrypted dataset on the destination.
This worked fine for the initial replication thanks to the tips from here: Unencrypted dataset to encrypted dataset issue - #3 by vladatnyc
Mainly by setting the options “Encryption” and “Inherit encryption” in the replication task settings and not pre-creating the target dataset but rather specifying it as a path under “Destination”.

Now however, newly created child-datasets on the source will be transferred unencrypted and the destination throws this error in the GUI:

The following datasets are not encrypted but are within an encrypted dataset: ‘…names of the datasets that were newly created on the source…’ which is not supported behaviour and may lead to various issues.

All datasets that existed when the first full replication was done are still transferring fine and encrypted.

I tried setting “encryption” in “Properties override” but it gives the message “Invalid format. Expected format: =” in red under the input field in the GUI.
Setting “encryption” in “Properties exclude” gives no error but also doesn’t solve the problem:

(these tips were from: Encryption and replication | TrueNAS Community)
The solution from that thread is not possible in my case, because “Encryption” and “Inherit encryption” were checked the entire time.

That’s interesting. I don’t believe the GUI was designed to handle such a case.

If you try without “Properties Exclude / Override”, the resulting dataset is non-encrypted on the destination?

Did they actually get transferred, or was the task halted due to an error?

Yes, when I set up this replication task it was a full replication because the destination had nothing at all. It was a fresh install of TrueNAS.

In this initial replication, I went without any Exclude/Override and only activated “Encryption”, “Inherit Encryption” and “Full Filesystem Replication”. This worked well and every child-dataset from the source (which are all unencrypted on the source) was transferred to the encrypted dataset on the destination (cloud-backup/M50-backup/active-data). The child-datasets from this initial replication also show as “encrypted” on the destination

The problem only arose once I started creating new child-datasets in “tank/active-data” on the source. These new children get transferred to the destination (the datasets and the files&folder in them show up in the GUI and shell on the destination) but show as “unencrypted” there and the above-mentioned warning popped up once.

So, the replication actually transferred the data and there was no halting error, just this warning about unencrypted datasets within encrypted ones. Since then, the replication runs fine and shows as “completed successfully” in the notifications every hour. Only problem is that the new children are not encrypted.

From the tooltips in the Replication Task GUI, I assumed that everything that gets transferred via this specific replication task will “inherit encryption” from its parent-dataset on the destination. But apparently, it only does this on the initial replication. All other dataset properties (quota, sharenfs, etc) get transferred even for the new children, just not encryption.

I found the solution!

It was hidden in the thread I linked before (Encryption and replication | TrueNAS Community) in the last reply of the OP:

After the initial replication (which you run with the option “Full Filesystem Replication” enabled) you have to uncheck “Full Filesystem Replication” and check “Include Datase Properties” instead for ALL subsequent replications. And NOT put anything into “Properties Exclude” or “Properties Override”.

This is highly counter-intuitive, I think, since the Dataset Property “encryption” on the source is “off” and after replication it is “on” on the destination. Even thought the tooltip for “Include Dataset Properties” reads:

Include dataset properties with the replicated snapshots.

which is the opposite of what is done in this case?

Well, but it’s working now! :smiley: