Question about LXD / ZFS encryption on the ZFS dataset

On my laptop today I reinstalled LXD in order to match compression with what I use on my webserver.

I created the LXD ZFS dataset manually via:

sudo zfs create -o mountpoint=none -o atime=off -o xattr=sa -o compression=zstd -o encryption=on -o keylocation=file:///etc/zfs/john.key -o keyformat=passphrase rpool/lxd

So encryption = on.

To get some info on the rpool/lxd filesystem:

$ sudo zfs list -o name,compression,encryption,keylocation,copies,atime,xattr,mountpoint -r rpool/lxd
NAME                                COMPRESS        ENCRYPTION   KEYLOCATION               COPIES  ATIME  XATTR  MOUNTPOINT
rpool/lxd                           zstd            aes-256-gcm  file:///etc/zfs/john.key  1       off    sa     legacy
rpool/lxd/buckets                   zstd            aes-256-gcm  none                      1       off    sa     legacy
rpool/lxd/containers                zstd            aes-256-gcm  none                      1       off    sa     legacy
rpool/lxd/containers/myforum        zstd            aes-256-gcm  none                      1       off    sa     legacy
rpool/lxd/custom                    zstd            aes-256-gcm  none                      1       off    sa     legacy
rpool/lxd/deleted                   zstd            aes-256-gcm  none                      1       off    sa     legacy
rpool/lxd/deleted/buckets           zstd            aes-256-gcm  none                      1       off    sa     legacy
rpool/lxd/deleted/containers        zstd            aes-256-gcm  none                      1       off    sa     legacy
rpool/lxd/deleted/custom            zstd            aes-256-gcm  none                      1       off    sa     legacy
rpool/lxd/deleted/images            zstd            aes-256-gcm  none                      1       off    sa     legacy
rpool/lxd/deleted/virtual-machines  zstd            aes-256-gcm  none                      1       off    sa     legacy
rpool/lxd/images                    zstd            aes-256-gcm  none                      1       off    sa     legacy
rpool/lxd/virtual-machines          zstd            aes-256-gcm  none                      1       off    sa     legacy

My question is about the KEYLOCATION part of that output. Specifically, “none” listed for everything that LCD added under rpool/lxd.

Does “none” under KEYLOCATION there simply mean the keylocation was inherited from rpool/lxd?

Or, is LXD using something else for the encryption key of those datasets nested under rpool/lxd?

This is hierarchical, so as long as the parent has it, it will be used for descendant FS. If for some reason you want one descendant, say rpool/lxd/buckets to be plaintext, you can disable it at the FS level. LXD is not aware nor involved in this encryption management.

Also, man 8 zfs-load-key:

Any descendant datasets will inherit their encryption key from the encryption root by default, meaning that loading, unloading, or changing the key for the encryption root will implicitly do the same for all inheriting datasets.