#Create new encrypted ROOT dataset:
zfs create -o encryption=on -o keyformat=passphrase rpool/ROOTenc
#Adjust kernel options to boot from encrypted ROOT
sed 's@/ROOT/@/ROOTenc/@g' -i /etc/kernel/cmdline
#Create snapshot and copy it to the encrypted dataset
zfs snapshot -r rpool/ROOT@forCopy
zfs send -R rpool/ROOT/pve-1@forCopy | zfs receive -o encryption=on rpool/ROOTenc/pve-1
#Update your efi
pve-efiboot-tool refresh
# —— REBOOT ——
# Now you should be asked for the passphrase
# Cleanup:
zfs destroy -r rpool/ROOT@forCopy
zfs destroy -r rpool/ROOTenc@forCopy
zfs destroy -R rpool/ROOT