Now that we have native ZFS encryption, pve-zsync needs to be able to pass the -w (--raw) flag to zfs send. This allows the sending of the encrypted dataset without being decrypted before transit. It allows incremental snapshot-based send and receive in the encrypted (and compressed if so) state. So, like how --compressed passs the -c flag to zfs send, --encrypted would pass the -w flag. Might take a bit of research if this will be incompatible with any other flags but otherwise should be easy to implement. Thank you.
see the two linked bugs for some previous discussion..
(In reply to Fabian Grünbichler from comment #1) > see the two linked bugs for some previous discussion.. I think most of that discussion doesn't apply to the request here. Just adding an off-by-default option to pve-zsync shouldn't be problematic. Won't break existing jobs for encrypted datasets that already replicated without the raw flag before. And it's up to the user to opt-in to the option for new jobs.
https://bugzilla.proxmox.com/show_bug.cgi?id=2350#c19 After some brief off-list chat, Fabian told me he is still concerned about this, i.e. stability of the feature.