diff --git a/illumos-utils/src/zfs.rs b/illumos-utils/src/zfs.rs
index 76ec405422f..d533d5f9e39 100644
--- a/illumos-utils/src/zfs.rs
+++ b/illumos-utils/src/zfs.rs
@@ -186,6 +186,9 @@ impl Zfs {
     /// Creates a new ZFS filesystem named `name`, unless one already exists.
     ///
     /// Applies an optional quota, provided _in bytes_.
+    ///
+    /// Returns "true" if the filesystem was mounted, when it previously was
+    /// not.
     pub fn ensure_filesystem(
         name: &str,
         mountpoint: Mountpoint,
@@ -193,20 +196,21 @@ impl Zfs {
         do_format: bool,
         encryption_details: Option<EncryptionDetails>,
         quota: Option<usize>,
-    ) -> Result<(), EnsureFilesystemError> {
+    ) -> Result<bool, EnsureFilesystemError> {
         let (exists, mounted) = Self::dataset_exists(name, &mountpoint)?;
         if exists {
             if encryption_details.is_none() {
                 // If the dataset exists, we're done. Unencrypted datasets are
                 // automatically mounted.
-                return Ok(());
+                return Ok(false);
             } else {
                 if mounted {
                     // The dataset exists and is mounted
-                    return Ok(());
+                    return Ok(false);
                 }
                 // We need to load the encryption key and mount the filesystem
-                return Self::mount_encrypted_dataset(name, &mountpoint);
+                Self::mount_encrypted_dataset(name, &mountpoint)?;
+                return Ok(true);
             }
         }
 
@@ -258,7 +262,7 @@ impl Zfs {
                 });
             }
         }
-        Ok(())
+        Ok(true)
     }
 
     fn mount_encrypted_dataset(
diff --git a/sled-hardware/src/disk.rs b/sled-hardware/src/disk.rs
index 7d58330e9ff..f2c4c276b22 100644
--- a/sled-hardware/src/disk.rs
+++ b/sled-hardware/src/disk.rs
@@ -438,7 +438,7 @@ impl Disk {
 
         // Ensure the root encrypted filesystem exists
         // Datasets below this in the hierarchy will inherit encryption
-        if let Some(dataset) = root {
+        let newly_mounted_crypt = if let Some(dataset) = root {
             let Some(key_requester) = key_requester else {
                 return Err(DiskError::MissingStorageKeyRequester);
             };
@@ -486,7 +486,9 @@ impl Disk {
 
             info!(
                 log,
-                "Ensuring encryted filesystem: {} for epoch {}", dataset, epoch
+                "Ensuring encrypted filesystem: {} for epoch {}",
+                dataset,
+                epoch
             );
             let result = Zfs::ensure_filesystem(
                 &format!("{}/{}", zpool_name, dataset),
@@ -501,14 +503,16 @@ impl Disk {
                 DiskError::IoError { path: keyfile.path().0.clone(), error }
             })?;
 
-            result?;
-        }
+            result?
+        } else {
+            false
+        };
 
         for dataset in datasets.into_iter() {
             let mountpoint = zpool_name.dataset_mountpoint(dataset.name);
             let name = &format!("{}/{}", zpool_name, dataset.name);
 
-            if dataset.wipe {
+            if dataset.wipe && newly_mounted_crypt {
                 info!(log, "Automatically destroying dataset {}", name);
                 Zfs::destroy_dataset(name).or_else(|err| {
                     // If we can't find the dataset, that's fine -- it might