Hi,
I spent quite a few hours to get Proxmox 2.0 Beta2 to work on an encrypted partition and would like to share my efforts with the community as my first thank you to all of you that helped building this awesome piece of software.
I have read many people going the "Debian installation first then Proxmox" way to have custom partitions and encryption setup but I simply wanted to change Proxmox without reinstalling everything.
Following these steps should take less than 5 minutes to complete. However, note that I have executed these steps on a brand new installation, if you have important data on your /var/lib/vz directory you must think carefully to figure out a good backup method because THESE STEPS MAY LEAD TO THE LOSS OF ALL DATA ON /var/lib/vz (/dev/pve/data).
I am assuming you will be logged in as root.
**USE IT AT YOUR OWN RISK **
1. cryptsetup is required
2. Let's backup the contents of the /var/lib/vz directory because all data on that directory will be DELETED.
** This backup method works if you have a brand new installation if you have lots of files you may choose a more suitable method **
3. We need to umount /var/lib/vz in order to setup LUKS
note: if the umount command above fails, make sure that (1) you do not have a shell session open that is at the /var/lib/vz directory (use command 'pwd' to find out which directory you are at in each shell session) (2) you do not have any VMs running. If it still won't work, try using the lsof command to figure out which process has that directory open and try to kill it.
4. Now we will configure encryption
5. Set-up a filesystem
** If you wish to use another filesystem (e.g. ext4) make sure to adjust the command below AND /etc/fstab **
6. Adjust /etc/crypttab and /etc/fstab
7. Restore /var/lib/vz data
On my computer, a partition without LUKS reads at 327MB/s, with LUKS it goes down to 268MB/s benchmarked using "hdparm -t"
Remember: after you configure LUKS like in this HOW-TO, at boot time your server will stop the boot-up process waiting for you to type in the passphrase. There are ways to overcome this, for instance if you want to set up your system so that the key is read from a USB stick take a look here:
http://raftaman.net/?p=300
Hope this is helpful. Tested on 2.0 Beta2 but I believe should work on most other versions.
If you know of a better way to do this, please share.
ADDED ON 28/11/2011: ENCRYPT THE SWAP PARTITION WITH RANDOM KEY
To be really safe you should also encrypt the swap partition.
Below, you will find a way to quickly add encryption to the swap partition with RANDOM keys, i.e. your system will discard all information in the swap partition everytime it boots and use a new auto-generated random key to encrypt swap contents.
This will of course prevent your system to restore from hibernation correctly but at the same time will save you from having to type a passphrase everytime the system boots.
A. First, let's turn off swap
B. Let's clean the swap partition so that nothing will be left over there
C. Edit /etc/crypttab
D. Change /etc/fstab
The line for swap partition should read like this:
Now just reboot the system and everything should be fine!
I spent quite a few hours to get Proxmox 2.0 Beta2 to work on an encrypted partition and would like to share my efforts with the community as my first thank you to all of you that helped building this awesome piece of software.
I have read many people going the "Debian installation first then Proxmox" way to have custom partitions and encryption setup but I simply wanted to change Proxmox without reinstalling everything.
Following these steps should take less than 5 minutes to complete. However, note that I have executed these steps on a brand new installation, if you have important data on your /var/lib/vz directory you must think carefully to figure out a good backup method because THESE STEPS MAY LEAD TO THE LOSS OF ALL DATA ON /var/lib/vz (/dev/pve/data).
I am assuming you will be logged in as root.
**USE IT AT YOUR OWN RISK **
1. cryptsetup is required
Code:
apt-get install cryptsetup2. Let's backup the contents of the /var/lib/vz directory because all data on that directory will be DELETED.
** This backup method works if you have a brand new installation if you have lots of files you may choose a more suitable method **
Code:
cd /var/lib/vz && tar cvzf /root/vz-dir-structure.tar.gz *
cd /root3. We need to umount /var/lib/vz in order to setup LUKS
Code:
umount /dev/pve/data4. Now we will configure encryption
Code:
cryptsetup -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/pve/data
cryptsetup luksOpen /dev/pve/data data5. Set-up a filesystem
** If you wish to use another filesystem (e.g. ext4) make sure to adjust the command below AND /etc/fstab **
Code:
mkfs.ext3 /dev/mapper/data6. Adjust /etc/crypttab and /etc/fstab
Code:
echo "data /dev/pve/data none luks" >> /etc/crypttab
sed -i -e 's,/dev/pve/data,/dev/mapper/data,g' /etc/fstab
Code:
mount /var/lib/vz
cd /var/lib/vz && tar xvzf /root/vz-dir-structure.tar.gzOn my computer, a partition without LUKS reads at 327MB/s, with LUKS it goes down to 268MB/s benchmarked using "hdparm -t"
Remember: after you configure LUKS like in this HOW-TO, at boot time your server will stop the boot-up process waiting for you to type in the passphrase. There are ways to overcome this, for instance if you want to set up your system so that the key is read from a USB stick take a look here:
http://raftaman.net/?p=300
Hope this is helpful. Tested on 2.0 Beta2 but I believe should work on most other versions.
If you know of a better way to do this, please share.
ADDED ON 28/11/2011: ENCRYPT THE SWAP PARTITION WITH RANDOM KEY
To be really safe you should also encrypt the swap partition.
Below, you will find a way to quickly add encryption to the swap partition with RANDOM keys, i.e. your system will discard all information in the swap partition everytime it boots and use a new auto-generated random key to encrypt swap contents.
This will of course prevent your system to restore from hibernation correctly but at the same time will save you from having to type a passphrase everytime the system boots.
A. First, let's turn off swap
Code:
swapoff -aB. Let's clean the swap partition so that nothing will be left over there
Code:
shred -v /dev/pve/swapC. Edit /etc/crypttab
Code:
echo "swap /dev/pve/swap /dev/urandom swap,cipher=aes-cbc-essiv:sha256" >> /etc/crypttabD. Change /etc/fstab
The line for swap partition should read like this:
Code:
/dev/mapper/swap none swap default 0 0Now just reboot the system and everything should be fine!
Last edited:
