Mount Luks drives only inside VM not in PVE, possible?

tig3r

New Member
Jan 29, 2023
7
0
1
Hello all
I'm quite new on PVE but have so far played around with 2 thin clients on driffrent vlans running a few VMs each, mostly linux dist, HASS, and a few LXC. So I have some grasp on how to find my way around.

But google and the forum have failed me on this, for me, pretty important question. I would like to move my main server onto PVE, today it's running a ubuntu dist. I have encrypted all drives.
My testing shows me that I can SSH into a VM and unlock the boot partition with dropbear so far so good, works the same way as today with the server. :)
The server have a few drives with data, each of this drive are encrypted with LUKS.
My goal would be to only let the VM running ubuntu mount and decrypt the data drives, but I don't find any good way of pass the drives to the VM unless PVE first mounts them. The reason that I would like only the VM to mount and decrypt the drives is because I belive it to be a extra layer of security. If my PVE would be hacked / breached the data is still encrypted unless even the VM is hacked. Also it prevents other VMs to access data on the drives.

I did try to add one of my spare external drives (encrypted with luks) to a thin client, the drive show up as /dev/sda1 in PVE but how can I give the VM knowledge of the drive unless i unlock it and mount it in PVE? (I probably could just passthrough the USB to my VM as this drive is an external, but it does not help my main problem when the most of the drives on the server are internal SATA drives..)

Any helpful links anyone have and would be kind enough to share to me :)
 
The server have a few drives with data, each of this drive are encrypted with LUKS.
My goal would be to only let the VM running ubuntu mount and decrypt the data drives, but I don't find any good way of pass the drives to the VM unless PVE first mounts them. The reason that I would like only the VM to mount and decrypt the drives is because I belive it to be a extra layer of security. If my PVE would be hacked / breached the data is still encrypted unless even the VM is hacked. Also it prevents other VMs to access data on the drives.
If your PVE server gets hacked that won't help much, as the PVE host can use the console to gain access to all the VMs.
And VMs are isolated and shouldn`t be able to access any data of the PVE host.
If you are planning to have the encrypted disks unlocked in the VM 24/7, then this should really add to security and it might be better to just use full system encryption of your PVE host.

And you shouldn't mount your disks on the PVE host in case a VM should also access them. That will corrupt the data on it, when it is mounted to two OSs t the same time. You could have a look at disk passthough: https://pve.proxmox.com/wiki/Passthrough_Physical_Disk_to_Virtual_Machine_(VM)
 
Thanks for the link! Probably just what I was looking for! Was to focused on searching for luks and encrypted passthrough that I missed the obvious..

The plan is to get PVE "pretty safe" but don't want to go trough the hassle with remote unlock for boot-sector on the PVE. since I will have a couple of VMs on this server and once and then perhaps a reboot is needed, or a longer power shortage that makes the UPS turn off the PVE.
There is probably some tips on the forum and wiki for best practice on security, I will look into that.

But my VM needs a higher security, I have a pretty decent security setup now in Ubuntu that I will apply on the VM as well. So hopefully it dosen't matters IF someone gaining access of the PVE through hacking, if the VM itself are encrypted and with good stop for penetration, and my data drives are unreadable from PVE.
Console will only give access to the login screen and brute-force wont help since it will lock attempts out. Sure the drives could be destroyed/formatted but the data should be unreadable.
The drives will be unlocked 24/7 inside the VM after keys are provided after boot, but I would like to have them separated each en everyone with tier own key so I could move them to another server if needed.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!