Using apps will breach encryption from 24.10 onwards

[Background] Users having their app-pool and ix-applications dataset encrypted pre-24.10 are facing issues when migrating to 24.10 as migration is not supported for encrypted pools. See:

Apps migration from Dragonfish to Electric Eel fails when ix-applications is on native encryption pool

It turns out that using apps will breach encryption from 24.10 onwards. The app-config storage, now a hidden dataset called ix-apps, is set up so that it is not inheriting parent-pool/dataset encryption. Doing this is poor zfs-practice, as people assume that child-datasets always inherit encryption, which is the default but not a requirement (see Github openzfs-issue 9116). In fact, TrueNAS itself is issuing an alert if an unencrypted dataset inside an encrypted parent is detected (though not for ix-apps).

I see two problems with that:

  1. This behavior (as far as I know) is lacking documentation.
  2. The suggested workaround of storing app-configs on an encrypted pool/dataset somewhere and mounting them within the app (using mounted host paths) does not always work.

Consider the following: the WebDAV app stores the password inside the app-config prompt and thus on ix-apps, a hidden, unencrypted child of an encrypted pool/dataset. Now take your small business that is serving sensitive data via the official WebDAV app and is reselling its old drives on eBay at some point. Under the assumption that all pools were always encrypted, the drives are only formatted instead of erased. Besides WebDAV, I can see similar problems with cloudflard, vaultwarden, wireguard, etc. I’m pretty sure CVEs were issued for less severe problems, but of course the number of affected users is likely very small. Still I advocate for:

  1. Not obfuscating/hiding datasets
  2. Having ix-apps inherit parent-encryption, as was the case pre-24.10 with ix-applications. In fact, I had zero problems with ix-applications on a keyfile-encrypted, auto-unlocking pool over the past years.

I’m unsure how to proceed at this point, maybe I’ll go back to pre-24.10 and wait till this is resolved, use only apps with the config mountable from outside, or try to manually encrypt ix-apps.

Note: for anyone interested, the state of encryption of (hidden) pools can be checked via zfs list, zfs get all tank/ix-apps, where tank is the pool selected for apps.

Any notes, comments, insights, suggestions are much appreciated!