This started as a personal project, but I decided to turn it into a guide so no human being ever, EVER has to go through this discovery process again. There are some other guides that do some of this, but I didn't find any that do all of it. Along with many hours of trial and error, I've stolen from so many sources for this guide that I've lost track of them. My thanks and apologies to the giants whose shoulders I've stood on.
DISCLAIMER - READ THIS
This guide has rough edges. I'm sure it has some redundancies and could be made much more efficient. The setup has some pretty important limitations. I strongly recommended reading the entire guide before deciding that you want to do it, especially the section on recovering a RAID. It's not trivial and will probably require you to take your system offline.
This is an unofficial, highly experimental setup. Now or in the future, it may destroy your Proxmox install, your VMs, your critical data, and possibly your very soul. I just started using Proxmox last week and I honestly have no idea on some of the long term implications of this. This is NOT production ready. By following this guide, you agree not to sue me if something goes horribly wrong. I doubt I need to say this, but this process will erase any data on your drives.
This guide assumes you have a general working knowledge of Linux. You should be at least somewhat familiar with manual drive partitioning, BTRFS, RAID levels, LUKS, secure boot, initramfs, static IP VS DHCP, SSH, and similar concepts. I'll try to explain things as I go but this is aimed at intermediate to advanced users. It's assumed that you're capable of recognizing when a command needs to be adapted to your own setup (drive paths, for example). Support will be provided on an "I may get around to it eventually" basis.
KNOWN LIMITATIONS
Not true full disk encryption because the boot partition will be unencrypted (typical for LUKS root, still pretty good).
Haven't gotten TPM working yet.
Recovering a degraded RAID is a bear.
GOAL
By the end of this guide you will have:
Proxmox
Full data redundancy* on all partitions
Encrypted root partition (but not boot partition, so not "real" FDE)
Secure boot (no TPM unlock... yet)
Remote drive unlocking (with one password)
Emergency recovery keys for LUKS (optional)
PROCESS OUTLINE
Install Debian
... with a custom encrypted partition scheme
Get Remote Access
Install Proxmox
Configure Redundancy
Enable Secure Boot
Optional Extras
REQUIREMENTS
Debian 13 boot media
2 boot drives (preferably identical)
Relatively recent hardware (for TPM)
Physical (or OOB) access to the machine you're working on
INSTALLING DEBIAN - Part 1
I'd recommend starting with Secure Boot disabled. I've have a few weird issues when it isn't. We'll enable it again later on. It's hard to advise specific steps on this because every motherboard is different. If you can't find your secure boot settings in BIOS, try creating an admin password and check again. If that doesn't work, also try creating a user password. Sometimes this will make the secure boot settings reveal themselves.
Start up the Debian installer in Expert Mode. Proceed as normal until you get to partitioning. For this to work, we'll need to do some manual partitioning.
DRIVE PARTITIONING
This is not the only partition scheme that would work, but it's the one that worked for me. The guide assumes you're using this. For BTRFS mount options, I chose these.
noatime - Depends who you ask, but...
ssd - You're using one, right?
discard - This may have security implications but I personally think they're pretty low on the threat list in the grand scheme of things. https://wiki.archlinux.org/title/Dm...ard/TRIM_support_for_solid_state_drives_(SSD)
compression - The Debian default seems fine, but you may have boot issues if you change the level/algo.
Now for the actual partitioning. Clear the first partition table and select GPT for your new type. Lay out your first drive as follows.
P1: 1GB, EFI system partition
P2: 1GB, BTRFS, /boot mount point
P3: remaining space, physical volume for encryption, disable erase data flag if using SSD
Partition the second drive identically, but this time set partition 2 mount point to none. Once that's done, select Configure Encrypted Volumes and Finish. To set them up you'll need to set your new boot decryption password. The passwords for both drives should be identical. Once you do that you'll see two new entries in the partitioner. These are your decrypted root partitions. Set them both to BTRFS with the previously mentioned mount options. The first one should mount to /, the second should have an empty mount point.
Write partitions to disk. You'll get some warnings about two of the partitions not having mount points, and about not having swap set up. These are expected and can be safely ignored. At this point, you're operating exclusively off the first drive. Debian's installer can't automatically handle the redundancy for us, so we'll set it up manually in a later step.
INSTALLING DEBIAN - Part 2
Proceed through the rest of the Debian install as normal. Install GRUB as your bootloader, not systemd. The only other thing that tripped me up is that if you don't select the network install for packages, the Debian repos won't be automatically set up. The rest of the options should either have safe defaults or be reasonably self explanatory.
You may wish to set up an SSH key before you hit the finish button. /target is your virtual root, so put your public key in /target/root/.ssh and chmod it 600. You can also do this after reboot if you prefer.
After reboot, you'll need physical access to unlock your root partition. Once we're in, that's the first thing we'll fix.
INSTALL DROPBEAR
Next we're going to set up dropbear. Dropbear is a mini SSH server that can be put into your initramfs, so you can connect through SSH to unlock your LUKS root remotely. First, from a CLIENT computer, create an SSH key. Note that ed25519 type keys (the default for newer ssh-keygen) WILL NOT WORK. You'll need either ecdsa or rsa. If your usual key is already one of those types, you can just use that.
ssh-keygen -t ecdsa
Now, moving back to the Proxmox server. Update everything through apt if you haven't, then grab dropbear.
apt update
apt upgrade
apt install dropbear-initramfs
You'll see a warning about an invalid key file. This is basically just warning that there isn't a public key installed to dropbear. Let's fix that. Get your RSA or ECDSA public key to the following location, either through scp or copy+paste or whatever.
nano /etc/dropbear/initramfs/authorized_keys
Then run these setup commands.
echo 'echo "IP=192.168.1.101::192.168.1.1:255.255.255.0::eno1
ff" > /etc/initramfs-tools/conf.d/dropbear-networking' > /etc/initramfs-tools/hooks/dropbear-networking-hook
OR
echo 'echo "IP=::::$(hostname)-initramfs:eno1:dhcp:::" > /etc/initramfs-tools/conf.d/dropbear-networking' > /etc/initramfs-tools/hooks/dropbear-networking-hook
sed -i 's/^#*DROPBEAR_OPTIONS=.*/DROPBEAR_OPTIONS="-p 22 -I 600 -j -k -s -c cryptroot-unlock"/' /etc/dropbear/initramfs/dropbear.conf
chmod 600 /etc/dropbear/initramfs/authorized_keys
chmod +x /etc/initramfs-tools/hooks/dropbear-*
update-initramfs -u
update-grub
(For some reason, I've sometimes had to run this set of commands twice or dropbear won't pick up network on boot. Not re-run after reboot, just run twice. I think it has something to do with the initramfs hook but for the life of me I can't figure out why. I have a feeling a clever commenter will spot some obvious problem that I missed...)
Let's look at a couple of these less obvious commands and see what they do.
# echo 'echo "IP=::::$(hostname)-initramfs:eno1:dhcp:::" > /etc/initramfs-tools/conf.d/dropbear-networking' > /etc/initramfs-tools/hooks/dropbear-networking-hook
This command creates an initramfs hook to configure dropbear's networking. The first version is for static, the other is for DHCP. I like to live dangerously, so I use the DHCP version. Works fine. In either case, you will need to replace eno1 with the name of your desired interface if you have multiple NICs. If you only have one NIC, the eno1 can be removed (untested).
For DHCP specifically, you can also set the hostname. Technically this can be anything. My regular hostname is "pve", so for initramfs this will set it to "pve-initramfs". I made it different from the main hostname because if you use a different key for regular SSH than you do for dropbear, your SSH client will complain about a key mismatch. This way I don't have to mess with that. This is set up as an initramfs hook in case the hostname ever changes. In that case, just regenerate your initfs and it will automatically adapt to the new one.
# sed -i 's/^#*DROPBEAR_OPTIONS=.*/DROPBEAR_OPTIONS="-p 22 -I 600 -j -k -s -c cryptroot-unlock"/' /etc/dropbear/initramfs/dropbear.conf
This sets your actual dropbear options.
-p 22 is the standard SSH port of 22. I don't think there's much point in port obfuscation on something like this. It doesn't conflict with the regular OpenSSH port once the system is booted.
-I is a timeout (in seconds) after which dropbear will disconnect. This is optional and I gave it a pretty generous timer.
-j disables local port forwarding for security.
-k disables remote port forwarding for security.
-s restricts logins to key only, no password.
-c cryptroot-unlock restricts the shell to automatically unlocking crypt devices.
(One other caveat. Sometimes I have to connect to dropbear twice because the first one can't find a route. Running it again immediately works. It has nothing to do with how long I've waited for it to start. I suspect it's DHCP related. Don't know why dropbear keeps wanting me to do things twice...)
At this point, reboot to check your work. If all is well and you can SSH in to unlock your crypt volume and boot normally, proceed to the next step.
INSTALL PROXMOX
Now it's time to convert your regular old Debian install into Proxmox. The official documentation for Proxmox installation is quite good and straightforward, so I won't rehash it here. No modifications are necessary, or at least none that I've found so far.
https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_13_Trixie
(This will take several posts. Please hold all comments until the end...)
DISCLAIMER - READ THIS
This guide has rough edges. I'm sure it has some redundancies and could be made much more efficient. The setup has some pretty important limitations. I strongly recommended reading the entire guide before deciding that you want to do it, especially the section on recovering a RAID. It's not trivial and will probably require you to take your system offline.
This is an unofficial, highly experimental setup. Now or in the future, it may destroy your Proxmox install, your VMs, your critical data, and possibly your very soul. I just started using Proxmox last week and I honestly have no idea on some of the long term implications of this. This is NOT production ready. By following this guide, you agree not to sue me if something goes horribly wrong. I doubt I need to say this, but this process will erase any data on your drives.
This guide assumes you have a general working knowledge of Linux. You should be at least somewhat familiar with manual drive partitioning, BTRFS, RAID levels, LUKS, secure boot, initramfs, static IP VS DHCP, SSH, and similar concepts. I'll try to explain things as I go but this is aimed at intermediate to advanced users. It's assumed that you're capable of recognizing when a command needs to be adapted to your own setup (drive paths, for example). Support will be provided on an "I may get around to it eventually" basis.
KNOWN LIMITATIONS
Not true full disk encryption because the boot partition will be unencrypted (typical for LUKS root, still pretty good).
Haven't gotten TPM working yet.
Recovering a degraded RAID is a bear.
GOAL
By the end of this guide you will have:
Proxmox
Full data redundancy* on all partitions
Encrypted root partition (but not boot partition, so not "real" FDE)
Secure boot (no TPM unlock... yet)
Remote drive unlocking (with one password)
Emergency recovery keys for LUKS (optional)
PROCESS OUTLINE
Install Debian
... with a custom encrypted partition scheme
Get Remote Access
Install Proxmox
Configure Redundancy
Enable Secure Boot
Optional Extras
REQUIREMENTS
Debian 13 boot media
2 boot drives (preferably identical)
Relatively recent hardware (for TPM)
Physical (or OOB) access to the machine you're working on
INSTALLING DEBIAN - Part 1
I'd recommend starting with Secure Boot disabled. I've have a few weird issues when it isn't. We'll enable it again later on. It's hard to advise specific steps on this because every motherboard is different. If you can't find your secure boot settings in BIOS, try creating an admin password and check again. If that doesn't work, also try creating a user password. Sometimes this will make the secure boot settings reveal themselves.
Start up the Debian installer in Expert Mode. Proceed as normal until you get to partitioning. For this to work, we'll need to do some manual partitioning.
DRIVE PARTITIONING
This is not the only partition scheme that would work, but it's the one that worked for me. The guide assumes you're using this. For BTRFS mount options, I chose these.
noatime - Depends who you ask, but...
ssd - You're using one, right?
discard - This may have security implications but I personally think they're pretty low on the threat list in the grand scheme of things. https://wiki.archlinux.org/title/Dm...ard/TRIM_support_for_solid_state_drives_(SSD)
compression - The Debian default seems fine, but you may have boot issues if you change the level/algo.
Now for the actual partitioning. Clear the first partition table and select GPT for your new type. Lay out your first drive as follows.
P1: 1GB, EFI system partition
P2: 1GB, BTRFS, /boot mount point
P3: remaining space, physical volume for encryption, disable erase data flag if using SSD
Partition the second drive identically, but this time set partition 2 mount point to none. Once that's done, select Configure Encrypted Volumes and Finish. To set them up you'll need to set your new boot decryption password. The passwords for both drives should be identical. Once you do that you'll see two new entries in the partitioner. These are your decrypted root partitions. Set them both to BTRFS with the previously mentioned mount options. The first one should mount to /, the second should have an empty mount point.
Write partitions to disk. You'll get some warnings about two of the partitions not having mount points, and about not having swap set up. These are expected and can be safely ignored. At this point, you're operating exclusively off the first drive. Debian's installer can't automatically handle the redundancy for us, so we'll set it up manually in a later step.
INSTALLING DEBIAN - Part 2
Proceed through the rest of the Debian install as normal. Install GRUB as your bootloader, not systemd. The only other thing that tripped me up is that if you don't select the network install for packages, the Debian repos won't be automatically set up. The rest of the options should either have safe defaults or be reasonably self explanatory.
You may wish to set up an SSH key before you hit the finish button. /target is your virtual root, so put your public key in /target/root/.ssh and chmod it 600. You can also do this after reboot if you prefer.
After reboot, you'll need physical access to unlock your root partition. Once we're in, that's the first thing we'll fix.
INSTALL DROPBEAR
Next we're going to set up dropbear. Dropbear is a mini SSH server that can be put into your initramfs, so you can connect through SSH to unlock your LUKS root remotely. First, from a CLIENT computer, create an SSH key. Note that ed25519 type keys (the default for newer ssh-keygen) WILL NOT WORK. You'll need either ecdsa or rsa. If your usual key is already one of those types, you can just use that.
ssh-keygen -t ecdsa
Now, moving back to the Proxmox server. Update everything through apt if you haven't, then grab dropbear.
apt update
apt upgrade
apt install dropbear-initramfs
You'll see a warning about an invalid key file. This is basically just warning that there isn't a public key installed to dropbear. Let's fix that. Get your RSA or ECDSA public key to the following location, either through scp or copy+paste or whatever.
nano /etc/dropbear/initramfs/authorized_keys
Then run these setup commands.
echo 'echo "IP=192.168.1.101::192.168.1.1:255.255.255.0::eno1
ff" > /etc/initramfs-tools/conf.d/dropbear-networking' > /etc/initramfs-tools/hooks/dropbear-networking-hookOR
echo 'echo "IP=::::$(hostname)-initramfs:eno1:dhcp:::" > /etc/initramfs-tools/conf.d/dropbear-networking' > /etc/initramfs-tools/hooks/dropbear-networking-hook
sed -i 's/^#*DROPBEAR_OPTIONS=.*/DROPBEAR_OPTIONS="-p 22 -I 600 -j -k -s -c cryptroot-unlock"/' /etc/dropbear/initramfs/dropbear.conf
chmod 600 /etc/dropbear/initramfs/authorized_keys
chmod +x /etc/initramfs-tools/hooks/dropbear-*
update-initramfs -u
update-grub
(For some reason, I've sometimes had to run this set of commands twice or dropbear won't pick up network on boot. Not re-run after reboot, just run twice. I think it has something to do with the initramfs hook but for the life of me I can't figure out why. I have a feeling a clever commenter will spot some obvious problem that I missed...)
Let's look at a couple of these less obvious commands and see what they do.
# echo 'echo "IP=::::$(hostname)-initramfs:eno1:dhcp:::" > /etc/initramfs-tools/conf.d/dropbear-networking' > /etc/initramfs-tools/hooks/dropbear-networking-hook
This command creates an initramfs hook to configure dropbear's networking. The first version is for static, the other is for DHCP. I like to live dangerously, so I use the DHCP version. Works fine. In either case, you will need to replace eno1 with the name of your desired interface if you have multiple NICs. If you only have one NIC, the eno1 can be removed (untested).
For DHCP specifically, you can also set the hostname. Technically this can be anything. My regular hostname is "pve", so for initramfs this will set it to "pve-initramfs". I made it different from the main hostname because if you use a different key for regular SSH than you do for dropbear, your SSH client will complain about a key mismatch. This way I don't have to mess with that. This is set up as an initramfs hook in case the hostname ever changes. In that case, just regenerate your initfs and it will automatically adapt to the new one.
# sed -i 's/^#*DROPBEAR_OPTIONS=.*/DROPBEAR_OPTIONS="-p 22 -I 600 -j -k -s -c cryptroot-unlock"/' /etc/dropbear/initramfs/dropbear.conf
This sets your actual dropbear options.
-p 22 is the standard SSH port of 22. I don't think there's much point in port obfuscation on something like this. It doesn't conflict with the regular OpenSSH port once the system is booted.
-I is a timeout (in seconds) after which dropbear will disconnect. This is optional and I gave it a pretty generous timer.
-j disables local port forwarding for security.
-k disables remote port forwarding for security.
-s restricts logins to key only, no password.
-c cryptroot-unlock restricts the shell to automatically unlocking crypt devices.
(One other caveat. Sometimes I have to connect to dropbear twice because the first one can't find a route. Running it again immediately works. It has nothing to do with how long I've waited for it to start. I suspect it's DHCP related. Don't know why dropbear keeps wanting me to do things twice...)
At this point, reboot to check your work. If all is well and you can SSH in to unlock your crypt volume and boot normally, proceed to the next step.
INSTALL PROXMOX
Now it's time to convert your regular old Debian install into Proxmox. The official documentation for Proxmox installation is quite good and straightforward, so I won't rehash it here. No modifications are necessary, or at least none that I've found so far.
https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_13_Trixie
(This will take several posts. Please hold all comments until the end...)