How to encrypt new disk in PVE?

V

virtualizerforlife

New Member
Jan 12, 2025
17
1
3
So far I have plugged in the new disk, but I'm wondering how to encrypt it in the PVE? Is this possible?
I have been trying to search forums and internet for the answer but I have not been able to find any


Or should I encrypt it in another environment (linux environment on main computer for example) and then plug it into the PVE?
 
  • Like
Reactions: Johannes S and virtualizerforlife
virtualizerforlife said:
how about leaving the new disk unencrypted and choosing "LVM-thin" option,
Click to expand...
I am using ZFS exclusively, so I can not (and should not) say much about the other storage solutions.

virtualizerforlife said:
...then encrypting from each VM where it is used? Do you think it is safe?
Click to expand...
Encrypting a disk from the inside of a VM? Sounds wrong to me as it adds additional attack vectors and key management problems. From my personal point of view the host should handle encryption. (My VMs are my VMs - it may be different if you have customers who manage their own VMs on your server.)

But it always depends on which attack scenario you are examining. (And there are multiple.) If the attacker already controls the host he can "see" you unlocking the VM. But it may be sufficient for "all hosts were stolen and the thieves shall not be able to start/decrypt that VM".

Sorry, I am no specialist for this. The only FDE (Full-Disk-Encryption) I actually use is for all Laptops (may get stolen) and for my Qubes-OS workstations. In my PVE context only the backups are always encrypted, as they leave the cluster.

----
Edit: one step sideways. What I did do some years ago was to evaluate Tang+Clevis, https://github.com/latchset/clevis. That would be a really small server on a separate location. As long as that Tang server was reachable from my to-be-secured host it could start and decrypt itself fully automatically - so no manual user interaction was required. As soon as the system would get stolen it would not be able to connect to Tang and the whole data would stay encrypted. This worked great and it felt really elegant. And it should be possible to implement it on a PVE node, in the moment before offering storage to PVE. I did not do that yet because... I think I am physically safe. Maybe I should reexamine that topic...
 
Last edited:
  • Like
Reactions: virtualizerforlife and Johannes S
The more generic way e.g. used by the Debian installer is cryptsetup +LUKS
( e.g. you can follow https://reintech.io/blog/configuring-luks-encrypted-disk-debian-12 )

I would not recommend to use encryption within the VMs, you will need to handle keymaterial/passphrases during the boot process of each VM. The same applies to the host, if your system partitions are encrypted. That might not be a problem e.g. in case of a laptop, but for a server you might utilize something like:
https://www.adyxax.org/blog/2025/03/07/unlocking-a-luks-partition-on-boot-via-ssh-on-debian/

Relying on encryption within the VMs will impact features like deduplication.

BR, Lucas
 
  • Like
Reactions: virtualizerforlife, Johannes S and UdoB
bl1mp said:
The more generic way e.g. used by the Debian installer is cryptsetup +LUKS
( e.g. you can follow https://reintech.io/blog/configuring-luks-encrypted-disk-debian-12 )

I would not recommend to use encryption within the VMs, you will need to handle keymaterial/passphrases during the boot process of each VM. The same applies to the host, if your system partitions are encrypted. That might not be a problem e.g. in case of a laptop, but for a server you might utilize something like:
https://www.adyxax.org/blog/2025/03/07/unlocking-a-luks-partition-on-boot-via-ssh-on-debian/

Relying on encryption within the VMs will impact features like deduplication.

BR, Lucas
Click to expand...
thank you

So I have my PVE installed on top of debian with luks on the main disk but how do I get get my second disk encrypted with luks and then attach it to pve?
 
You must log in or register to reply here.
Top Bottom
Back