Encrypting USB-Boot

droidus

Member
Apr 5, 2020
107
2
23
34
Is there any way to encrypt an existing proxmox usb-stick that it boots from, to prevent someone from modifying files on it?
 
First, you shouldn't install Proxmox to a USB-Stick. Proxmox is write heavy and may write 30GB per day to that stick and kill it quite fast.
You can encrypt a new Proxmox installation but its not that easy. You can't use the ProxmoxVE ISO to install proxmox. You need to setup a luks encrypted Debian, edit your initramfs to use a dropbear ramfs to unlock your root partition using ssh and later install the proxmox packages to that encrypted debian.
 
  • Like
Reactions: Whitterquick
First, you shouldn't install Proxmox to a USB-Stick. Proxmox is write heavy and may write 30GB per day to that stick and kill it quite fast.
You can encrypt a new Proxmox installation but its not that easy. You can't use the ProxmoxVE ISO to install proxmox. You need to setup a luks encrypted Debian, edit your initramfs to use a dropbear ramfs to unlock your root partition using ssh and later install the proxmox packages to that encrypted debian.
I was about to ask about this so glad it has been answered. I have a few questions:

  1. Is there any performance hit installing on Debian (effectively making it a Type-2 HV?) or does it actually offer more versatility?
  2. What dangers would you say there are in having an unencrypted bare metal installation of Proxmox if all VMs are encrypted? If stolen what would be the worst that could happen?
  3. If I have a secondary nested Proxmox VM (Proxmox in Proxmox) would the Debian route be the only way the second one is also encrypted? Is there any way to encrpt the volume that the VMs are stored on?
Thanks.
 
I was about to ask about this so glad it has been answered. I have a few questions:

  1. Is there any performance hit installing on Debian (effectively making it a Type-2 HV?) or does it actually offer more versatility?
It still should be a Type-1 HV. The ProxmoxVE distribution is also based on a Debian with custom Ubuntu kernel. If you install the proxmox packages ontop of a Debian it will replace the default Debian kernel with the custom Proxmox kernel so its basically the same as the normal ProxmoxVE distribution.
  1. What dangers would you say there are in having an unencrypted bare metal installation of Proxmox if all VMs are encrypted? If stolen what would be the worst that could happen?
Not sure. But if you want to be safe a full system encryption is always the best way. I only see 2 downsides of encrypting the Proxmox OS drive.
1.) You can't use ZFS. HW raid or SW raid using mdraid is still possible but both aren't that safe. You won't get features like bit rot prevention and so on if you are not using CEPH/ZFS. And mdraid isn't officially supported, so no one checks if a update would degrades your mdraid array.
2.) Its complicated and takes longer to setup
  1. If I have a secondary nested Proxmox VM (Proxmox in Proxmox) would the Debian route be the only way the second one is also encrypted? Is there any way to encrpt the volume that the VMs are stored on?
You can crate a partition later and use LUKS/ZFS as a encrypted VM storage. You don't need the Debian route for that. Both routes you basically get modified Debian and you can do everything what a normal Debian could do. But I think nested virtualization would only be useful for testing purposes.
 
Last edited:
  • Like
Reactions: Whitterquick
You can crate a partition later and use LUKS/ZFS as a encrypted VM storage. You don't need the Debian route for that. Both routes you basically get modified Debian and you can do everything what a normal Debian could do. But I think nested virtualization would only be useful for testing purposes.

Thanks for the great explanations.
Yes, nested Proxmox would only be for testing and compiling (mostly testing).
 
How would I encrypt the volume used to store VMs? If I remember correctly it would only let me select a volume that was not already formatted?

Also, if that volume is encrypted then is there no need to encrypt each individual VM?
 
Maybe you could use LUKS on Debian Buster and install Proxmox on it (cryptsetup)... AFAIK it is possible to use a USB-Stick with a KEY to boot up automatically instead of type a Password on boot...
Thanks, this is what I was looking for!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!