Encrypting USB-Boot
- Thread starter droidus
- Start date
First, you shouldn't install Proxmox to a USB-Stick. Proxmox is write heavy and may write 30GB per day to that stick and kill it quite fast.
You can encrypt a new Proxmox installation but its not that easy. You can't use the ProxmoxVE ISO to install proxmox. You need to setup a luks encrypted Debian, edit your initramfs to use a dropbear ramfs to unlock your root partition using ssh and later install the proxmox packages to that encrypted debian.
You can encrypt a new Proxmox installation but its not that easy. You can't use the ProxmoxVE ISO to install proxmox. You need to setup a luks encrypted Debian, edit your initramfs to use a dropbear ramfs to unlock your root partition using ssh and later install the proxmox packages to that encrypted debian.
I was about to ask about this so glad it has been answered. I have a few questions:
- Is there any performance hit installing on Debian (effectively making it a Type-2 HV?) or does it actually offer more versatility?
- What dangers would you say there are in having an unencrypted bare metal installation of Proxmox if all VMs are encrypted? If stolen what would be the worst that could happen?
- If I have a secondary nested Proxmox VM (Proxmox in Proxmox) would the Debian route be the only way the second one is also encrypted? Is there any way to encrpt the volume that the VMs are stored on?
It still should be a Type-1 HV. The ProxmoxVE distribution is also based on a Debian with custom Ubuntu kernel. If you install the proxmox packages ontop of a Debian it will replace the default Debian kernel with the custom Proxmox kernel so its basically the same as the normal ProxmoxVE distribution.
Not sure. But if you want to be safe a full system encryption is always the best way. I only see 2 downsides of encrypting the Proxmox OS drive.
1.) You can't use ZFS. HW raid or SW raid using mdraid is still possible but both aren't that safe. You won't get features like bit rot prevention and so on if you are not using CEPH/ZFS. And mdraid isn't officially supported, so no one checks if a update would degrades your mdraid array.
2.) Its complicated and takes longer to setup
You can crate a partition later and use LUKS/ZFS as a encrypted VM storage. You don't need the Debian route for that. Both routes you basically get modified Debian and you can do everything what a normal Debian could do. But I think nested virtualization would only be useful for testing purposes.
Last edited:
Thanks for the great explanations.
Yes, nested Proxmox would only be for testing and compiling (mostly testing).
How would I encrypt the volume used to store VMs? If I remember correctly it would only let me select a volume that was not already formatted?
Also, if that volume is encrypted then is there no need to encrypt each individual VM?
Also, if that volume is encrypted then is there no need to encrypt each individual VM?
Maybe you could use LUKS on Debian Buster and install Proxmox on it (cryptsetup)... AFAIK it is possible to use a USB-Stick with a KEY to boot up automatically instead of type a Password on boot...
When setting up the volume where VMs will be stored (separate physical drive) there is no option to encrypt it. In the beginning where we initialise a hard disk for virtual machines. Is this at all possible/necessary?