Move vm images to encrypted zfs dataset


New Member
Jul 1, 2023
I am currently in the process of transitioning my server to a state where all vm images are encrypted. I decided to do this by using ZFS encryption. I currently have a encrypted dataset created at pool/encrypted. How can I move my current vm disk images to this new dataset (they are at the root of the ZFS pool).
You add that "pool/encrypted" as a new ZFS storage (Datacenter -> Storage -> Add -> ZFS) so you get a storage you can actually use to store virtual disks. When in your VMs hardware tab, there is a button to move a virtual disk between storages.

When working with ZFS native encryption keep in mind that replication/migration won't work, so this makes a cluster more or less useless and it also effects cross-cluster migration.

To encrypt an unencrypted dataset/zvol you can also use "zfs send | zfs recv" and then do a "qm rescan" and/or "pct rescan".

Some example to replace an unencrypted rpool/ROOT with an encrypted one:

Encrypt ZFS root filesystem​

  • reboot server and boot into live linux with ZFS support
  • Import ZFS pool: zpool import -f rpool
  • snapshot rpool/ROOT: zfs snapshot -r rpool/ROOT@copy
  • create copy of unencrypted rpool/ROOT and all childen: zfs send -R rpool/ROOT@copy | zfs recv rpool/copyroot
  • destroy unencrypted rpool/ROOT: zfs destroy -r rpool/ROOT
  • create new encrypted rpool/ROOT: zfs create -o encryption=aes-256-gcm -o keyformat=passphrase rpool/ROOT
  • copy and encrypt unencrypted rpool/copyroot/pve-1: zfs send -R rpool/copyroot/pve-1@copy | zfs recv -o encryption=on rpool/ROOT/pve-1
  • destroy copy: zfs destroy -r rpool/copyroot
  • destroy snapshots: zfs destroy rpool/ROOT/pve-1@copy
  • export pool: zpool export rpool
  • reboot

And keep in mind that you maybe also want to encrypt your whole PVE with its root filesystem and swap partitions so you don't leek sensitive dat on your remaining unencrypted storages (logging, caching, ...).
Last edited:
Thanks for the amazing and rapid response! One more question, do I need to worry about wiping the data securely on the ssd after I move it to an encrypted dataset?
Thanks for the amazing and rapid response! One more question, do I need to worry about wiping the data securely on the ssd after I move it to an encrypted dataset?
You can't securely wipe data without wiping the whole SSD with everything on it. Only a "secure_erase" can wipe the unaccessible parts of a SSD. With that you don't tell your Os to delete the dt on it, you tell the SSDs firmware to wipe itself. With everything else other than a secure_erase your unencrypted data might remain in the inaccessible spare area. So backup all your data to another disk/host/NAS, secure_erase the whole SSD, encrypt that factory-fresh SSD and then restore data from the backup.

See here, on how to secure_erase a SATA SSD:
Should be similar with NVMe but other commands.
Last edited:


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!