I've decided to use OpenMediaVault for NAS VM, since I want both a ZFS mirror and a MergerFS + SnapRAID pool (very important vs less important data). OMV doesn't really support setting up encryption for you (at least for ZFS, that's how far I've come), so I have do to it more manually.
I don't want to encrypt the entire Proxmox install, since I've promised my gf that HomeAssistant will be working just fine after a restart.
I don't want to login to the OMV VM every time the server reboots, just to type some encryption key, so instead, I have thought about doing it like this:
* Use an encrypted storage on my Proxmox install
* Put my encryption keys in that storage
* Mount the storage as a hard drive to OMV
* Unlock filesystems at boot time of OMV using systemd
* Setup a script in Proxmox where I enter an encryption key, and after that, it unlocks the encrypted storage and starts the OMV VM
I think that will work, but I'm unsure about some things:
*Will the mounted hard drive be backed up when running a backup? EDIT: It can be excluded from backups, it's in the advanced options for the virtual disk.
* Is it enough to turn off swap on my OMV VM, so the key will never be written to an unencrypted filesystem?
* Or might it be that Proxmox will SWAP out the memory of my OMV VM, so the key will end up on an unencrypted filesystem?
* Anything else I've missed?
I don't want to encrypt the entire Proxmox install, since I've promised my gf that HomeAssistant will be working just fine after a restart.
I don't want to login to the OMV VM every time the server reboots, just to type some encryption key, so instead, I have thought about doing it like this:
* Use an encrypted storage on my Proxmox install
* Put my encryption keys in that storage
* Mount the storage as a hard drive to OMV
* Unlock filesystems at boot time of OMV using systemd
* Setup a script in Proxmox where I enter an encryption key, and after that, it unlocks the encrypted storage and starts the OMV VM
I think that will work, but I'm unsure about some things:
*
* Is it enough to turn off swap on my OMV VM, so the key will never be written to an unencrypted filesystem?
* Or might it be that Proxmox will SWAP out the memory of my OMV VM, so the key will end up on an unencrypted filesystem?
* Anything else I've missed?
Last edited: