Encrypting ZFS and other storage in OMV - keys in PVE, mount as storage to OMV?

[ChrisK]

I've decided to use OpenMediaVault for NAS VM, since I want both a ZFS mirror and a MergerFS + SnapRAID pool (very important vs less important data). OMV doesn't really support setting up encryption for you (at least for ZFS, that's how far I've come), so I have do to it more manually.

I don't want to encrypt the entire Proxmox install, since I've promised my gf that HomeAssistant will be working just fine after a restart.

I don't want to login to the OMV VM every time the server reboots, just to type some encryption key, so instead, I have thought about doing it like this:
* Use an encrypted storage on my Proxmox install
* Put my encryption keys in that storage
* Mount the storage as a hard drive to OMV
* Unlock filesystems at boot time of OMV using systemd
* Setup a script in Proxmox where I enter an encryption key, and after that, it unlocks the encrypted storage and starts the OMV VM

I think that will work, but I'm unsure about some things:
* Will the mounted hard drive be backed up when running a backup? EDIT: It can be excluded from backups, it's in the advanced options for the virtual disk.
* Is it enough to turn off swap on my OMV VM, so the key will never be written to an unencrypted filesystem?
* Or might it be that Proxmox will SWAP out the memory of my OMV VM, so the key will end up on an unencrypted filesystem?
* Anything else I've missed?

 

[ChrisK]

I went and encrypted the entire OMV VM in Proxmox, so at the moment I don't have to worry about keys being written to swap. I also added another small encrypted virtual disk, containing the keys.

Now I just need to see if I can disable the swap of my OMV instance, and thus hopefully back up my VM without any trace of the keys.