zstream should be able to wrap/unwrap encrypted streams.

[rincebrain]

Describe the feature would like to see added to OpenZFS

It would be useful to be able to send encrypted streams that are not encrypted on the initial source and without requiring the receiver to have access to the keys, e.g. zfs send -RLc mypool/ds1@unencrypted | zstream encrypt -K [...] | ssh EC2machine zfs receive destpool/enc_ds1.

It would also similarly be useful to be able to unwrap these on the receiver without having to do a dance of receiving them encrypted, unlocking it, and doing an unencrypted send there.

The devil in this, of course, becomes the additional metadata we stash for noticing if the encryption root changed, though I suppose if we did something to deterministically derive it from the key material you could synthesize a unique enough ID to persist across sends and get consistent error behavior on the receiver...

How will this feature improve OpenZFS?

More flexible/convenient handling of native encryption for testing and various migration use cases.

Additional context

Conceivably, we could extend send or receive to do this themselves, but I think the existing zstream filter makes more sense, personally.