I’ll revise this post later, but just for now – because in the past I’ve mentioned encrypted zpools over linux md devices for backups – don’t ever do this.
It works fine for operations, but I’ve encountered at least one zpool split off an md device that zfs-on-linux sees as too corrupt to import for a restore, even with -fFmX. That’s absolutely unacceptable for a backup scheme.
My in-house ZFS backups are currently rebuilding on to separate LUKS devices in a pool as a mirror (CPU is not an issue in 2014). Expect a HOWTO in the future once I prove that they reliably split off into separate pools for doing restores.