Hi.
I am quite new to Proxmox VE on ZFS. And for my use cases I need an encrypted dataset (rpool/data). Based on what I have read so far, it should not be a big deal to generate an encryption key, create encrypted dataset and store the key inside rpool/ROOT. I would do it like that:
Next step: setup systemd service for automatic unlocking inside of /etc/systemd/system/zfs-load-key.service
I think so far that should be fine? ->> BUT: How to protect the key in rpool/ROOT? Encrypting might be an option, but I did not find a way of "easily" unlocking it. The posts I found so far describe the method by enter a passphrase on bootup or using ssh Dropbear for remote unlocking. But that does not fit in our requirements, because the server will be located in a company with non-techies. And so I need an easy way to unlock after a power outage, reboot, ... So my idea is to create an USB drive that contains the key to unlock. In case of booting up the people onsite should easily just put in the USB drive and that's it. The question is HOW TO tell the system, that the required key (file or passphrase) is on USB drive and HOW TO create these USB drive?
I thought maybe it could be an option not encrypting rpool/ROOT and just pointing rpool/data keylocations direct to the USB drive? Something like that:
But I didn't get it work...
Maybe I use the wrong mount or path to USB?
I would be very grateful if anybody could help me with that! I am a little bit desperate.
I am quite new to Proxmox VE on ZFS. And for my use cases I need an encrypted dataset (rpool/data). Based on what I have read so far, it should not be a big deal to generate an encryption key, create encrypted dataset and store the key inside rpool/ROOT. I would do it like that:
Bash:
# Create a new encryption key
dd if=/dev/urandom bs=32 count=1 of=/.data.key
# Set the approprieate permission
chmod 400 /.data.key
# Make the key immutable
chattr +i /.data.key
# Create a new dataset with encryption enabled
zfs create -o encryption=on -o keylocation=file:///.data.key -o keyformat=raw rpool/dataNext step: setup systemd service for automatic unlocking inside of /etc/systemd/system/zfs-load-key.service
Code:
[Unit]
Description=Load encryption keys
DefaultDependencies=no
After=zfs-import.target
Before=zfs-mount.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/zfs load-key -a
[Install]
WantedBy=zfs-mount.serviceI think so far that should be fine? ->> BUT: How to protect the key in rpool/ROOT? Encrypting might be an option, but I did not find a way of "easily" unlocking it. The posts I found so far describe the method by enter a passphrase on bootup or using ssh Dropbear for remote unlocking. But that does not fit in our requirements, because the server will be located in a company with non-techies. And so I need an easy way to unlock after a power outage, reboot, ... So my idea is to create an USB drive that contains the key to unlock. In case of booting up the people onsite should easily just put in the USB drive and that's it. The question is HOW TO tell the system, that the required key (file or passphrase) is on USB drive and HOW TO create these USB drive?
I thought maybe it could be an option not encrypting rpool/ROOT and just pointing rpool/data keylocations direct to the USB drive? Something like that:
Bash:
zfs create -o encryption=on -o keylocation=/dev/sdXy -o keyformat=raw rpool/dataBut I didn't get it work...
Maybe I use the wrong mount or path to USB?I would be very grateful if anybody could help me with that! I am a little bit desperate.
Last edited:
