How To: Enable encryption for local storage in PVE 6.2.4?

[mpizzolo]

Hello,

We already have a remote rbd ceph octopus cluster w/encryption, but would like to turn on encryption for some nodes that have local NVMe drives. Is there a good way of enabling encryption for unshared local storage? Am not looking to use arrays at all if at all possible, just single point of failure standalone JBOD disks.

Note: /dev/nvme0n1 was encrypted with LUKS and appears as a Device Mapper configured disk.






Thanks,
Marco

 

[mpizzolo]

I've gone ahead and done ZFS instead as I was in a rush to move this forward.
Thanks

 

[proxmoxrks]

I've gone ahead and done ZFS instead as I was in a rush to move this forward.
Thanks

Which guide did you use to use ZFS encrypted?

 

[mpizzolo]

We didn't follow one single guide, but rather pulled from a couple of different sources to understand what was required. The overall process was roughly:

1. Wipe all disks but OS Boot ( wipefs --all --force /dev/nvme0n1 )
2. For each NVMe we ran: zpool create -f -o ashift=12 disk0 /dev/nvme0n1
3. For each NVMe we ran: zpool set feature@encryption=enabled disk0
4. For each NVMe we ran: zfs create -o encryption=on -o keyformat=passphrase disk0/encrypted
5. For each NVMe we finally ran: pvesm add zfspool disk0_encrypted -pool disk0/encrypted
6. We limited the hosts for whom the device was available to just the host for whom they are local.

Incrementing device and disk# for each.

I hope this helps.