Install normally using the installer, after the setup reboot into recovery mode (from the USB stick). Make sure to install in UEFI mode (you need systemd-boot).
If the USB stick is not working for you, because of the old Kernel version (2.6.x), you can also use an Ubuntu 19.10 / 20.04 boot stick. ZFS suport is enabled there out of the box.
Steps:
# Import the old
zpool import -f rpool
# Make a snapshot of the current one
zfs snapshot -r rpool/ROOT@copy
# Send the snapshot to a temporary root
zfs send -R rpool/ROOT@copy | zfs receive rpool/copyroot
# Destroy the old unencrypted root
zfs destroy -r rpool/ROOT
# Create a new zfs root, with encryption turned on
# OR -o encryption=aes-256-gcm - aes-256-ccm vs aes-256-gcm
zfs create -o encryption=on -o keyformat=passphrase rpool/ROOT
# Copy the files from the copy to the new encrypted zfs root
zfs send -R rpool/copyroot/pve-1@copy | zfs receive -o encryption=on rpool/ROOT/pve-1
# Set the Mountpoint
zfs set mountpoint=/ rpool/ROOT/pve-1
# Delete the old unencrypted copy
zfs destroy -r rpool/copyroot
# Export the pool again, so you can boot from it
zpool export rpool
If you want turn compression and other ZFS features on afterwards.
Helpful commands:
# list all mounts
zfs list
# Check which ZFS pools are encrypted
zfs get encryption
# Mount everything
zfs mount -l -a
# Show status and devices
zpool list
Original steps from from Yakuraku (proxmox-forum). Thanks to @nschemel for suggesting to delete the copy.
I wasn't comfortable with the rescue mode or a normal ubuntu-version, so I did everything with NomadBSD. In short, it is like a bootable knoppix, but with FreeBSD: https://www.nomadbsd.org | https://github.com/nomadbsd/NomadBSD
At first you write the image to a thumbdrive (I strongly suggest a USB3-device, USB2 is sloooow), then boot from it. The wizard then will ask some things, which software you prefer, username, password etc. and as bonus you could set up a ssh-server from there to remote-login and copy and paste the following. I changed it a little bit, it is now a nobrainer ;)
Bonus2:
If your proxmox-installation resides on a trim-capable device you could set
zpool set autotrim=on rpool
and watch it after some time withzpool iostat -r rpool
and
zfs set recordsize=1M compression=zstd-3 rpool
does not hurt. You can go from zstd-1-19, but zstd-3 is the default and at this point compresses better than lz4. zstd-19 is unnecessary here and will slow down even big multicore cpus and your vms. Some background: https://openzfs.org/w/images/b/b3/03-OpenZFS_2017_-_ZStandard_in_ZFS.pdfBonus3:
If you have additional disks/pools for vm-storage or just want another password, try this:
The dataset is unlocked at this point, after reboot you can unlock with:
zfs mount -l rpool/vmdatasetcrypta01
In the GUI you can then safely delete unencrypted storages.