[SOLVED] Native encryption of zfs root possible?

[Yakuraku]

Hi,

for various reasons I prefer my data to be encrypted on disks. Until now I used a zfs on luks setup. Which worked pretty good, but had its quirks and some other drawbacks.

So I was really happy to see zfs native encryption and its support with Proxmox 6 (Thanks for that!).

To have my VMs etc safe is not a real challenge, since I'm in control when I create the pool/dataset. But for the rpool unfortunately it's out of my reach, since it is handled by the Installer.

The fun part is now: Is is possible to move the rpool afterwards to an encrypted dataset?

 

[Yakuraku]

Ok, I found a way to do this myself.

Advice: Make sure and double/triple check if you are using systemd-boot as boot loader!

For anybody who wants to do this a short how-to:
- Get a PS/2 Keyboard (seriously, just get one)
- Boot after install with PVE-Installer disk to Debug-mode
- On the first promt hit CTRL+D on your PS/2 keyboard. (From here on, use any keyboard you like)
- You should see a root-console now
From here on do:

zpool import -f rpool
zfs snapshot -r rpool/ROOT@forCopy
zfs send -R rpool/ROOT@forCopy | zfs recevie rpool/copyROOT
zfs list # check your datasets
zfs destroy -r pool/ROOT
zfs create -o encryption=on -keyformat=passphrase pool/ROOT
# Enter your passphrase here
zfs send -R rpool/copyROOT/pve-1@forCopy | zfs receive rpool/ROOT/pve-1
zfs list
# Check if the mount point is ok, if not adjust it
zfs set mountpoint=/ rpool/ROOT/pve-1
zfs export rpool

When you reboot now, you are prompted for your root dataset.
And voilla, your dataset is encrypted.

This is the output of my system after the modifications.

root@pve:~# zfs get encryption,keylocation
NAME                    PROPERTY     VALUE        SOURCE
rpool                   encryption   off          default
rpool                   keylocation  none         default
rpool/ROOT              encryption   on  -
rpool/ROOT              keylocation  prompt       local
rpool/ROOT/pve-1        encryption   on  -
rpool/ROOT/pve-1        keylocation  none         default

Note: This encrypts only the rpool/ROOT dataset!!!!!!!!

Edit: You can also recreate the whole rpool with small changes in the commands and have everything encrypted, not only the datasets!!!

 

[JOduMonT]

- Get a PS/2 Keyboard (seriously, just get one)

why a PS/2 ? why not a USB ?
what if I have 2 USB Keyboard ?

I made it happen without using any keyboard PS/2 or USB
I simply followed those instruction: https://github.com/chungy/zfs-boottime-encryption

 

[Yakuraku]

why a PS/2 ? why not a USB ?
what if I have 2 USB Keyboard ?

I made it happen without using any keyboard PS/2 or USB
I simply followed those instruction: https://github.com/chungy/zfs-boottime-encryption

Reason is simple: When using the Proxmox-Installer, you can only access the Debug-mode with a PS/2 Keyboard. Dunno why, but that's the only reason.
The PS/2 only needed for that, nothing more.

 

[bytee]

Thank you for the guide, you have some typos and missing options in it.

As an alternative to the Debug mode (which works for me without PS/2 keyboard) you can also use an Ubuntu 19.10 / 20.04 boot stick. It has ZFS support out of the box.

Here's my more commented and working step by step instruction:

https://gist.github.com/yvesh/ae77a68414484c8c79da03c4a4f6fd55

 

[Mahatma]

Thanks booth of you

For the guide I think you should add the -o encryption=on for the "zfs receive rpool/ROOT/pve-1"
bytee Added it and without that my pve-1 datasets wouldn't encrypt even with ROOT encrypted

for the git, once it's written root instead of ROOT and the option in the receive is -o encryption I believe instead of -x encryption

why not specify encryption=aes-256-gcm ?

edit: It's way easier to do with ubuntu 19.10 live, set a password and install openssh-server.

 

[bytee]

Thanks booth of you

For the guide I think you should add the -o encryption=on for the "zfs receive rpool/ROOT/pve-1"
bytee Added it and without that my pve-1 datasets wouldn't encrypt even with ROOT encrypted

for the git, once it's written root instead of ROOT and the option in the receive is -o encryption I believe instead of -x encryption

why not specify encryption=aes-256-gcm ?

edit: It's way easier to do with ubuntu 19.10 live, set a password and install openssh-server.

Thank you! You are right, the one with lower-case root is a typo.. and -o is correct

Fixed it in the Gist, it should work now.

For aes-256-gcm vs aes-256-ccm it's more difficult. I left it to the default in my "version" too, there's still ongoing discussion depending on scenario, which one is faster.. GCM may be more secure though.

 

[nschemel]

Thank you all very much for this thread. That was very helpful. I've used the information from here and added some stuff, so that I can unlock my proxmox root via ssh and have an encrypted dataset for vms and containers. Perhaps that's helpful to anyone.

https://forum.proxmox.com/threads/encrypting-proxmox-ve-best-methods.88191/post-387731