diff --git a/bundles/zfs/items.py b/bundles/zfs/items.py
index 546ff17..33847bd 100644
--- a/bundles/zfs/items.py
+++ b/bundles/zfs/items.py
@@ -43,8 +43,17 @@ svc_systemd = {
 
 for name, config in node.metadata.get('zfs/datasets', {}).items():
     zfs_datasets[name] = config
+
     zfs_datasets[name].pop('backup', None)
 
+    encrypted = zfs_datasets[name].pop('encrypted', None)
+    if encrypted:
+        zfs_datasets[name]['encryption'] = 'aes-256-gcm'
+        zfs_datasets[name]['keylocation'] = 'prompt'
+        zfs_datasets[name]['keyformat'] = 'hex'
+        zfs_datasets[name]['password'] = node.metadata.get('zfs/password')
+
+
 for name, config in node.metadata.get('zfs/pools', {}).items():
     zfs_pools[name] = {
         "when_creating": {
diff --git a/bundles/zfs/metadata.py b/bundles/zfs/metadata.py
index a2f485d..912ca46 100644
--- a/bundles/zfs/metadata.py
+++ b/bundles/zfs/metadata.py
@@ -1,4 +1,6 @@
-#import re
+from uuid import UUID
+from base64 import b64encode, b64decode
+
 
 defaults = {
     'apt': {
@@ -89,6 +91,17 @@ def dataset_defaults(metadata):
     }
 
 
+@metadata_reactor.provides(
+    'zfs/password'
+)
+def encryption_key(metadata):
+    return {
+        'zfs': {
+            'password': b64decode(repo.vault.random_bytes_as_base64_for(b64encode(UUID(metadata.get('id')).bytes).decode(), length=32).value).hex(),
+        },
+    }
+
+
 @metadata_reactor.provides(
     'backup/paths'
 )
diff --git a/nodes/home.server.py b/nodes/home.server.py
index b4c3c38..77f2ca6 100644
--- a/nodes/home.server.py
+++ b/nodes/home.server.py
@@ -197,6 +197,12 @@
                 'hdd/nextcloud/ckn-privat': {
                     'mountpoint': '/var/lib/nextcloud/ckn-privat/files',
                 },
+
+
+                'tank/enctest1': {
+                    'mountpoint': 'none',
+                    'encrypted': True,
+                },
             },
         },
     },