Extending ZFS Encryption to Pools Other than rpool

D

dmarc2024

New Member
Dec 6, 2024
7
2
3
Hey All -

Still learning, just installed yesterday in fact. So far so good but want to make sure I have encryption enabled before I create VMs and such.

So far, I have the default rpool pool encrypted using the steps here:

https://privsec.dev/posts/linux/using-native-zfs-encryption-with-proxmox/

All is working so no complaints there - the boot disk /rpool/ROOT and default rpool/data are encrypted and can be confirmed with zfs get encryption command:

root@pve01:~# zfs get encryption
NAME PROPERTY VALUE SOURCE
rpool encryption off default
rpool/ROOT encryption aes-256-gcm -
rpool/ROOT/pve-1 encryption aes-256-gcm -
rpool/ROOT/pve-1@copy encryption aes-256-gcm -
rpool/data encryption aes-256-gcm -
rpool/var-lib-vz encryption off default
root@pve01:~#


So here's my question - once I add another ZFS pool such as a raid10 called VM-DATA, how do I also encrypt this, as it shows it's not encrypted:
root@pve01:~# zfs get encryption
NAME PROPERTY VALUE SOURCE
VM-DATA encryption off default
rpool encryption off default
rpool/ROOT encryption aes-256-gcm -
rpool/ROOT/pve-1 encryption aes-256-gcm -
rpool/ROOT/pve-1@copy encryption aes-256-gcm -
rpool/data encryption aes-256-gcm -
rpool/var-lib-vz encryption off default



I would have thought it would be the same steps as in the URL provided above, but that doesn't seem to be the case:


root@pve01:~# zfs create -o acltype=posix -o atime=off -o compression=zstd-3 -o checksum=blake3 -o dnodesize=auto -o encryption=on -o keyformat=passphrase -o keylocation=file:///.data.key -o overlay=off -o xattr=sa VM-DATA
cannot create 'VM-DATA': missing dataset name
root@pve01:~#

Any ideas what I'm doing wrong or not understanding?

Thanks
 
Last edited:
EDIT: I think I may have figured it out to some degree using:


zfs create -o encryption=on -o keyformat=passphrase VM-DATA/data

Entering a passphrase and confirming it and then:

pvesm add zfspool encrypted_zfs -pool VM-DATA/data

I now see it as storage available in the GUI and it now appears to be encrypted:

root@pve01:~# zfs get encryption
NAME PROPERTY VALUE SOURCE
VM-DATA encryption off default
VM-DATA/data encryption aes-256-gcm -
rpool encryption off default
rpool/ROOT encryption aes-256-gcm -
rpool/ROOT/pve-1 encryption aes-256-gcm -
rpool/ROOT/pve-1@copy encryption aes-256-gcm -
rpool/data encryption aes-256-gcm -
rpool/var-lib-vz encryption off default
root@pve01:~#

Now I just need to figure out how to have it auto unlock upon boot... can I use the same keyfile as the URL in my first post guided me to?

More trial and error time.

EDIT: It seems it was just a matter of running this command and now it will unlock on its own like the rpool/data using the same keyfile called data.key.

zfs create -o acltype=posix -o atime=off -o compression=zstd-3 -o checksum=blake3 -o dnodesize=auto -o encryption=on -o keyformat=passphrase -o keylocation=file:///.data.key -o overlay=off -o xattr=sa VM-DATA/data

and then configuring it as storage via:

pvesm add zfspool encrypted_zfs -pool /VM-data/data

Are there any issues with using the same keyfile to unlock multiple pools like this?

Thanks
 
Last edited:
You must log in or register to reply here.
Top Bottom