[TUTORIAL] Adding Full Disk Encryption to Proxmox

[dainjaz]

Running Proxmox 8.4 / Debian 12.

SSH login was not working, but the more concerning behavior was...
[booting... ], then prompts some output loading dropbear and after a carriage return, prompts for encryption password on local display, then displays (consistently repeating over and over):

/scripts/init-premount/dropbear: line 339: sleep: not found
/scripts/init-premount/dropbear: line 149: cat: not found

... repeats over and over again so fast it's challenging to read... until you press ALT-F4. I found a few references to issues with similar setups and this same cat/sleep output via internet search, but did not found a specific solution. It appears these should be provided by busybox which is a dependency to initramfs, so makes little sense. That said, I modified the following:

Update: those cat/sleep output lines dont appear after adding ethernet device drivers to:

# cat /etc/initramfs-tools/modules
# List of modules that you want to include in your initramfs.
# Examples:
# raid1
# sd_mod
e1000e
r8169
bonding

also modified this line in '/etc/default/grub' (originally referenced vmbr0 below, but realized that probably was not available at that stage of the boot, so changed to the underlying NIC name and REMOVED 'quiet' so now the line looks like this):

GRUB_CMDLINE_LINUX_DEFAULT="ip=192.168.0.10:::::enp0s25:none iommu=pt nvme_core.default_ps_max_latency_us=0"

It looks like SSH is working at this point and the output lines no longer occur.

Thanks for a great TUTORIAL! I might say bit more verbosity in the last steps might be helpful for folks for avoid the issues (or others) I had above.

 

[dmpm]

Dropbear and mandos have stopped working for me after I copied my install to a new NVME. I'm using software encryption now after the previous OPAL hw encrypted NVME failed.

When PVE was booting, it showed a message that dropbear was loaded but then it just printed repeated messages saying something about the stack (unfortunately these pre-boot messages aren't logged) before dropping to initramfs, where I had to run 'cryptsetup open /dev/nvme0n1p3 cryptlvm" to decrypt the partition, before typing 'exit' and then the boot continued as normal.

After checking the dropbear conf files and testing that mandos was working by running '/usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client --pubkey=/etc/keys/mandos/pubkey.txt --seckey=/etc/keys/mandos/seckey.txt --connect=10.10.55.20:9601; echo' which returned the password, I ran update-initramfs -u and now when its booting it says that /etc/mandos/plugin-runner.conf" is loaded (that contains '--options-for=mandos-client:--connect=10.10.55.20:9601' so it can find the mandos server) but doesn't say anything about dropbear or show any repeated error messages, but it still eventually drops to initramfs and I have to manually decrypt the partition again.

When looking at dmesg I saw this:
[ 0.079578] Kernel command line: BOOT_IMAGE=/vmlinuz-6.8.12-11-pve root=/dev/mapper/pve--AM-root ro debug libata.allow_tpm=1 intel_iommu=on i915.enable_gvt=1 ip=10.10.55.198::10.10.55.1:255.255.255.0::eno1:none
[ 0.079702] DMAR: IOMMU enabled
[ 0.079761] Unknown kernel command line parameters "BOOT_IMAGE=/vmlinuz-6.8.12-11-pve ip=10.10.55.198::10.10.55.1:255.255.255.0::eno1:none", will be passed to user space.

which seems a bit strange, as I've been using those parameters for ages and I'm pretty sure they're required to be able to passthrough the Intel iGPU to use it with Plex and Frigate. libata.allow_tpm=1 is only needed for OPAL h/w encryption, so I could remove that, but it seems to be saying that most of those parameters are unknown and isn't passing them.

Anyway, maybe that error is a red herring. The important thing is that I'm not seeing a prompt for the password like I used to, and dropbear and mandos aren't working at boot. I've got this in my /etc/crypttab file

cryptlvm UUID=dc66aee7-8664-4283-91c6-7e553b6f07fd none luks,discard,keyscript=decrypt_keyctl

and that is the UUID for nvme0n1p3. Does anything look wrong with that line that could be causing the failure to prompt for the password?

 

[dmpm]

OK, I'm not entirely sure how but I've fixed it. There was an extraneous " at the end of the line in dropbear.conf, so removing that got dropbear working. That shouldn't have affected mandos, but after regenerating initramfs with "update-initramfs -u -k all" mandos is working again too.

Apparently initramfs has been made more rigid recently, and now with keyscript=decrypt_keyctl in cryptlvm to cache the passphrase from mandos to automatically decrypt my USB data drive, it will no longer show the on-screen prompt for the passphrase, although you can still enter it locally or use dropbear to enter it.

ChatGPT suggested adding tries=1 after the keyscript parameter, to make it prompt for the passphrase if it can't retreive it from the mandos server, but that didn't work, so it suggested using this script instead of decrypt_keyctl:

#!/bin/sh
exec /usr/lib/mandos/plugin-helpers/mandos-client || /lib/cryptsetup/askpass "Enter passphrase for $CRYPTTAB_SOURCE ($CRYPTTAB_NAME): "

but that didn't cause it to prompt for the passphrase either and entering it locally didn't work anymore, and it stopped dropbear working. So I'll just put up with the missing prompt.