Encrypting Proxmox VE (Best Methods)

But be warned...I wasn't able to keep in short and on the point...right now it's more a complete guide from creating the install USB stick, over a way too long excessive monologue about ZFS fundamentals to the complete configuration of the encrypted PVE installation including LUKS encrypted swap and remote unlocking with VLAN support.
One can never have too much good knowledge ;-)
 
As I've a fully encrypted Ubuntu 20.04 with zfs running, I wanted to test if the same would be possible for proxmox, because I want to migrate the ubuntu installation over to proxmox.

Im not the biggest fan of the luks + zfs version, because of the added complexity, while it should be possible only with zfs. So I searched a while and found some bits and pieces her in the forums and the zfs repo.

Right now I have the root of my proxmox server encrypted and the password is asked at boot via console and ssh. So I can input the password locally or remotely.

Because I found no complete tutorial, I created a forum account to share with you what I've done so far.

Warning: You will need zfs 0.8.5 or newer, as far as I know. ,So this will only work proxmox 6.3 or newer. I've tested it with the newly released 6.4 version.
  1. Install proxmox and choose zfs raid 0 in the installer.
  2. After installation I booted right into the rescue mode and followed this link to a gist with instructions(which is originally from this forum. Thanks @Yakuraku)
    • In addition to the tutorial, I had to move the mount point of the dataset "copyroot/pve-1" to /rpool/copyroot/pve-1 to get work. Because without this, there where two datasets with the same mount point and the system didn't boot.
    • Another way would be to delete delete the old copyroot stuff after migrating. That's what you would like to do anyways.
  3. After that I was able to boot into the system.
  4. Because I want to unlock my encrypted root dataset remotely, there was one other step to do. Since zfs 0.8.5 it's possible to unlock zfs datasets via ssh while the system is booting. It's fairly simple, but a bit harder to find. Just follow the instructions at the bottom of the initramfs readme from zfs github repo
  5. After that there was only one more step to do: encrypting the dataset for vms and containers. That's well documented in the proxmox documentation
    1. Create an encryption key:
      Code:
      openssl rand -hex -out /root/data-encrypted.key 32
    2. Create new encrypted dataset:
      Code:
      zfs create -o encryption=on -o keyformat=hex -o keylocation=file:///root/data-encrypted.key rpool/data/encrypted
    3. Add the encrypted dataset to proxmox:
      Code:
      pvesm add zfspool encrypted_zfs -pool rpool/data/encrypted

I hope that little writeup helps anyone.

Hello!
The link in step 4 is no longer valid.. where would I find the relevant info? cheers!
 
is there a guide for folks that don't have a UEFI rig?
It is still possible but you can't use an encrypted ZFS pool, as that requires UEFI with systemd boot. So the above won't work, as grub can't boot from encrypted ZFS pools.
For BIOS with grub you would need to install a LUKS encrypted Debian 11 with LVM/LVM-Thin (and optionally ontop of a mdadm software raid) and turn that into a PVE later. Did that 2 years ago with Debian 10 and that server is still running fine. Dropbear-initramfs for SSH remote unlocking works with LUKS too.
 
Last edited:
ok, so someone want to tell me what I've done.. cause it looks like it's working...
I have this motherboard:

https://www.supermicro.com/products/archive/motherboard/x8dah_

Which I'm quite certain does not have UEFI - only BIOS. I followed all the steps from here:

https://gist.github.com/yvesh/ae77a68414484c8c79da03c4a4f6fd55

after which I rebooted, it prompted for passphrase, which I entered, and now am logged in to the host.
In host shell,
Code:
zfs get encryption
spits out this:

NAMEPROPERTYVALUESOURCE
rpoolencryptionoffdefault
rpool/ROOTencryptionaes-256-gcm-
rpool/ROOT/pve-1encryptionaes-256-gcm-
rpool/ROOT/pve-1@copyencryptionaes-256-gcm-
rpool/copyrootencryptionoffdefault
rpool/copyroot@copyencryptionoffdefault
rpool/copyroot/pve-1encryptionoffdefault
rpool/dataencryptionoffdefault


soooo...is my host install encrypted or not? Is there a unencrypted copy remaining, which I should delete?
 
ok, so someone want to tell me what I've done..
not really possible :)

anyways - since PVE 6.4 IIRC - https://pve.proxmox.com/wiki/Roadmap#Proxmox_VE_6.4

proxmox-boot-tool is also used for legacy-bios systems (grub is installed onto the 512MB VFAT ESP) - so in theory you can use ZFS encryption on those systems as well (haven't tried so myself)

-> what's the output of `proxmox-boot-tool status` ?
 
  • Like
Reactions: Dunuin
not really possible :)

anyways - since PVE 6.4 IIRC - https://pve.proxmox.com/wiki/Roadmap#Proxmox_VE_6.4

proxmox-boot-tool is also used for legacy-bios systems (grub is installed onto the 512MB VFAT ESP) - so in theory you can use ZFS encryption on those systems as well (haven't tried so myself)

-> what's the output of `proxmox-boot-tool status` ?


System currently booted with legacy bios
36F3-16C3 is configured with: grub (versions: 5.15.30-2-pve)
36F3-A541 is configured with: grub (versions: 5.15.30-2-pve)
 
As I've a fully encrypted Ubuntu 20.04 with zfs running, I wanted to test if the same would be possible for proxmox, because I want to migrate the ubuntu installation over to proxmox.

Im not the biggest fan of the luks + zfs version, because of the added complexity, while it should be possible only with zfs. So I searched a while and found some bits and pieces her in the forums and the zfs repo.

Right now I have the root of my proxmox server encrypted and the password is asked at boot via console and ssh. So I can input the password locally or remotely.

Because I found no complete tutorial, I created a forum account to share with you what I've done so far.

Warning: You will need zfs 0.8.5 or newer, as far as I know. ,So this will only work proxmox 6.3 or newer. I've tested it with the newly released 6.4 version.
  1. Install proxmox and choose zfs raid 0 in the installer.
  2. After installation I booted right into the rescue mode and followed this link to a gist with instructions(which is originally from this forum. Thanks @Yakuraku)
    • In addition to the tutorial, I had to move the mount point of the dataset "copyroot/pve-1" to /rpool/copyroot/pve-1 to get work. Because without this, there where two datasets with the same mount point and the system didn't boot.
    • Another way would be to delete delete the old copyroot stuff after migrating. That's what you would like to do anyways.
  3. After that I was able to boot into the system.
  4. Because I want to unlock my encrypted root dataset remotely, there was one other step to do. Since zfs 0.8.5 it's possible to unlock zfs datasets via ssh while the system is booting. It's fairly simple, but a bit harder to find. Just follow the instructions at the bottom of the initramfs readme from zfs github repo
  5. After that there was only one more step to do: encrypting the dataset for vms and containers. That's well documented in the proxmox documentation
    1. Create an encryption key:
      Code:
      openssl rand -hex -out /root/data-encrypted.key 32
    2. Create new encrypted dataset:
      Code:
      zfs create -o encryption=on -o keyformat=hex -o keylocation=file:///root/data-encrypted.key rpool/data/encrypted
    3. Add the encrypted dataset to proxmox:
      Code:
      pvesm add zfspool encrypted_zfs -pool rpool/data/encrypted

I hope that little writeup helps anyone.
re: step #4... is dropbear outright needed, or can one use openssh?
 
soooo...is my host install encrypted or not? Is there a unencrypted copy remaining, which I should delete?
Yes, but not 100% the whole host (and it's ok that way). Only the necessary boot-portion is not encrypted (to make the bootchain possible anyway) , the dataset rpool/ROOT with the underlying datasets is encrypted (where your data goes).

You could delete rpool/copyroot to save some bits or keep as some sort of "go back to start"-snapshot.

To clear that out: encrypting datasets works with legacy and UEFI.
 
Last edited:
I'm coming undone @ the whole ssh install / config step..
every tutorial I read specifies steps that involve keyfiles & static IPs.. what if I don't want these, or have access to these?
I understand that it is less secure if I just use a passphrase, but I plan on using a very long passphrase.
I want to ssh into server, from anywhere, from any device.. the client device may ot have my keyfile, nor may I be able to load it.
admittedly I'm very new to ssh etc, so if I'm making silly assumptions, lemme know
 
By default its not allowed to login as root with a password (as password logins are unsafe). So by default you need to use your asymetric encryption key pair if you want to login as root. You can disable this limitation by setting "PermitRootLogin yes" in "/etc/ssh/sshd_config". But not recommended of cause. Ideally you shouldn't make your SSH port accessible from the internet at all and use VPN instead. Atleast set up fail2ban to block IPs that try to attack your SSH (which happens all the time) and change the SSH port to something else.
 
Last edited:
  • Like
Reactions: tiro_uspsss
stupid question: I have a PiKVM - can I just traffic thru that & not even bother setting up ssh on the server itself, & just enter encryption password thru/from PiKVM?
 
stupid question: I have a PiKVM - can I just traffic thru that & not even bother setting up ssh on the server itself, & just enter encryption password thru/from PiKVM?
Yes, this will work technically and if the connection to PiKVM from outside is encrypted (ssh to PiKVM and/or vpn on top), it should be ok to transfer the pw over that.
If the pw would be transferred over unencrypted line it can be fished and read in plain text, and then the holymoly-length of 68 characters would be no problem.
 
Last edited:
  • Like
Reactions: tiro_uspsss

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!