Encryption Options for VM´S /Server

[Pampa Party]

You may possibly want to search for TANG and CLEVIS.

This toolset can unlock the LUKS key via your local and trusted network. If the server is stolen, it will probably not be able to establish a contact to your TANG. So CLEVIS cant NOT unlock the keys - the data stays encrypted.

Thx. i will look at it and see how far i´ll get.

Not sure I understood what you are asking, but but with LUKS block devices you usually make use of /etc/crypttab [1]:

Or you might be looking for solution like dropbear [2]?

See e.g.: https://neilzone.co.uk/2023/05/unlocking-a-luks-encrypted-partition-via-ssh-on-debian-12-bookworm/

[1] https://www.freedesktop.org/software/systemd/man/latest/crypttab.html
[2] https://matt.ucc.asn.au/dropbear/dropbear.html

In general i am looking for a solution to unencrypt all containers automatically and mount them to the mnt point i set. I just thought about save the passphrases in TPM and just unlock the TPM with a pin. So i just need to unlock the tpm instead of every luks container. But i´m not familiar with this so far. I general i´m looking for a user friendly and save solution, or what is best fitting to this problem.

 

[esi_y]

unencrypt all containers automatically and mount them to the mnt point i set

instead of every luks container

I am just really confused about this - what do you mean? Or I might be somehow slow today ...

 

[Pampa Party]

I am just really confused about this - what do you mean? Or I might be somehow slow today

my workflow right now is when i reboot proxmox:

1. unencrypt my LUKS containers with passphrase (cryptsetup luksOpen /dev/... + passphrase)
2. mount them to a moint point i set to use them as storage (mayber there is a better Option i don´t know now)

so what i want is to automate these tasks, so i don´t need to do it manual.

 

[esi_y]

my workflow right now is when i reboot proxmox:

1. unencrypt my LUKS containers with passphrase (cryptsetup luksOpen /dev/... + passphrase)
2. mount them to a moint point i set to use them as storage (mayber there is a better Option i don´t know now)

so what i want is to automate these tasks, so i don´t need to do it manual.

This might be none of my business but why would you want to have LUKS containers (individual), storing LUKS with a filesystem within on ZFS or possibly LVM. Do you, for some reason, need different encryption key for every volume? But then I do not quite get the intention to make use of TPM...

 

[Pampa Party]

This might be none of my business but why would you want to have LUKS containers (individual), storing LUKS with a filesystem within on ZFS or possibly LVM. Do you, for some reason, need different encryption key for every volume? But then I do not quite get the intention to make use of TPM...

Its about regulations. TPM i would use to store the keys for LUKS containers, then set a PIN for tpm. So when reboot proxmox you just need to enter the pin instead of every passphrase. Just to save time and work and automate the process.

 

[esi_y]

Its about regulations. TPM i would use to store the keys for LUKS containers, then set a PIN for tpm. So when reboot proxmox you just need to enter the pin instead of every passphrase. Just to save time and work and automate the process.

But why not have one LUKS partition for e.g. entire ZFS pool?

 

[Pampa Party]

But why not have one LUKS partition for e.g. entire ZFS pool?

f you can explain to me how to set this up for multiple hard disks i´m interested^^

 

[esi_y]

if you can explain to me how to set this up for multiple hard disks i´m interested^^

Can you explain your hardware setup in more detail? Maybe I am the only one not getting it, but a typical fashion I would use LUKS in is that I put it as first layer on a physical drive, or technically would create GPT partition over the entire drive (save for EFI if it's a boot drive) and make that a LUKS volume. Then you use that as LVM pvs or ZFS vdevs - after they are opened at boot time via crypttab, they are just used by LVM/ZFS like any other (not encrypted) block device. It's all transparent. Now you may or may not want to use the same key for each LUKS volume, but if it's all on one machine I do not see much benefit using different LUKS keys for different drives...

 

[Pampa Party]

Can you explain your hardware setup in more detail? Maybe I am the only one not getting it, but a typical fashion I would use LUKS in is that I put it as first layer on a physical drive, or technically would create GPT partition over the entire drive (save for EFI if it's a boot drive) and make that a LUKS volume. Then you use that as LVM pvs or ZFS vdevs - after they are opened at boot time via crypttab, they are just used by LVM/ZFS like any other (not encrypted) block device. It's all transparent. Now you may or may not want to use the same key for each LUKS volume, but if it's all on one machine I do not see much benefit using different LUKS keys for different drives...

for example a server with 4NVME´s and 2 ssds. on the ssd´s proxmox in mirror raid and the 4 nvmes for vms´s. So for me now so far i need to enrypt all nvme´s and the ssd´s if i want to encrypt proxmox as well. If you cam tell me how to encrypt all with luks at once would be lovely

 

[esi_y]

for example a server with 4NVME´s and 2 ssds. on the ssd´s proxmox in mirror raid and the 4 nvmes for vms´s. So for me now so far i need to enrypt all nvme´s and the ssd´s if i want to encrypt proxmox as well. If you cam tell me how to encrypt all with luks at once would be lovely

Did you have a look here, for instance?

You may start assessing LUKS by looking at a thread like this:
https://forum.proxmox.com/threads/proxmox-8-luks-encryption-question.137150/#post-610704

 

[Pampa Party]

Did you have a look here, for instance?

yes, but not to everything...what i saw brought me to my current solution

 

[esi_y]

yes, but not to everything...what i saw brought me to my current solution

Ok and how does your crypttab look now? I referred to in one of the posts [1] there.
I just thought it was a really good thread for your use case because it touched a bit of everything, there was LVM, ZFS, even mdadm and LUKS underneath it all...

[1] https://forum.proxmox.com/threads/proxmox-8-luks-encryption-question.137150/page-2#post-611562

 

[Pampa Party]

Ok and how does your crypttab look now? I referred to in one of the posts [1] there.
I just thought it was a really good thread for your use case because it touched a bit of everything, there was LVM, ZFS, even mdadm and LUKS underneath it all...

[1] https://forum.proxmox.com/threads/proxmox-8-luks-encryption-question.137150/page-2#post-611562

my crypttab is empty so far, i will come to this when i tried some options. For me the task was now to find out what is possible so far. I guess also your solution for the hard disk would be to set a raid 0. But there i come to the point, what to do when i need to install a new hard drive. And then i guess for me the better solution could be the tpm one i described... The thread was helpful at all, so thx for it . It gave me (for now) basic knowledge to keep on going. Maybe i will deep dive into it later. For now i need to get to now the solutions offered and see what will work for me, so maybe we can discuss crypttab later when i came to it. Would be nice if you could help me out there again if needed

 

[esi_y]

for example a server with 4NVME´s and 2 ssds. on the ssd´s proxmox in mirror raid and the 4 nvmes for vms´s.

I guess also your solution for the hard disk would be to set a raid 0. But there i come to the point, what to do when i need to install a new hard drive.

No you can have LUKS over hardware mirror, it's just the OP in that thread was going to install mdadm.

And then i guess for me the better solution could be the tpm one i described...

I believe the TPM or not is unrelated topic to LUKS really.

For now i need to get to now the solutions offered and see what will work for me, so maybe we can discuss crypttab later when i came to it. Would be nice if you could help me out there again if needed

No worries.