Extending ZFS Encryption to Pools Other than rpool

D

dmarc2024

New Member
Dec 6, 2024
7
1
3
Hey All -

Still learning, just installed yesterday in fact. So far so good but want to make sure I have encryption enabled before I create VMs and such.

So far, I have the default rpool pool encrypted using the steps here:

https://privsec.dev/posts/linux/using-native-zfs-encryption-with-proxmox/

All is working so no complaints there - the boot disk /rpool/ROOT and default rpool/data are encrypted and can be confirmed with zfs get encryption command:

root@pve01:~# zfs get encryption
NAME PROPERTY VALUE SOURCE
rpool encryption off default
rpool/ROOT encryption aes-256-gcm -
rpool/ROOT/pve-1 encryption aes-256-gcm -
rpool/ROOT/pve-1@copy encryption aes-256-gcm -
rpool/data encryption aes-256-gcm -
rpool/var-lib-vz encryption off default
root@pve01:~#


So here's my question - once I add another ZFS pool such as a raid10 called VM-DATA, how do I also encrypt this, as it shows it's not encrypted:
root@pve01:~# zfs get encryption
NAME PROPERTY VALUE SOURCE
VM-DATA encryption off default
rpool encryption off default
rpool/ROOT encryption aes-256-gcm -
rpool/ROOT/pve-1 encryption aes-256-gcm -
rpool/ROOT/pve-1@copy encryption aes-256-gcm -
rpool/data encryption aes-256-gcm -
rpool/var-lib-vz encryption off default



I would have thought it would be the same steps as in the URL provided above, but that doesn't seem to be the case:


root@pve01:~# zfs create -o acltype=posix -o atime=off -o compression=zstd-3 -o checksum=blake3 -o dnodesize=auto -o encryption=on -o keyformat=passphrase -o keylocation=file:///.data.key -o overlay=off -o xattr=sa VM-DATA
cannot create 'VM-DATA': missing dataset name
root@pve01:~#

Any ideas what I'm doing wrong or not understanding?

Thanks
 
Last edited:
EDIT: I think I may have figured it out to some degree using:


zfs create -o encryption=on -o keyformat=passphrase VM-DATA/data

Entering a passphrase and confirming it and then:

pvesm add zfspool encrypted_zfs -pool VM-DATA/data

I now see it as storage available in the GUI and it now appears to be encrypted:

root@pve01:~# zfs get encryption
NAME PROPERTY VALUE SOURCE
VM-DATA encryption off default
VM-DATA/data encryption aes-256-gcm -
rpool encryption off default
rpool/ROOT encryption aes-256-gcm -
rpool/ROOT/pve-1 encryption aes-256-gcm -
rpool/ROOT/pve-1@copy encryption aes-256-gcm -
rpool/data encryption aes-256-gcm -
rpool/var-lib-vz encryption off default
root@pve01:~#

Now I just need to figure out how to have it auto unlock upon boot... can I use the same keyfile as the URL in my first post guided me to?

More trial and error time.

EDIT: It seems it was just a matter of running this command and now it will unlock on its own like the rpool/data using the same keyfile called data.key.

zfs create -o acltype=posix -o atime=off -o compression=zstd-3 -o checksum=blake3 -o dnodesize=auto -o encryption=on -o keyformat=passphrase -o keylocation=file:///.data.key -o overlay=off -o xattr=sa VM-DATA/data

and then configuring it as storage via:

pvesm add zfspool encrypted_zfs -pool /VM-data/data

Are there any issues with using the same keyfile to unlock multiple pools like this?

Thanks
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom