[TUTORIAL] Native full-disk encryption with ZFS

[Elleni]

Thanks for your answer and indeed yes - thats what it is meant for. As Bitloker is a usefull thing on laptops. What we want is also disable our own users manipulate the installation by for example trying to use disk in another system they control or booting another os via usb and gain more access or whatever.

So I really would like to know if there is a similar way to have the key stored in tpm for decrypting root similar to solutions that exist to do that for luks2 encrypted systems. I also would not mind to eliminate grub if it is enough to boot the system from efi.

 

[lmi]

Thanks for your answer and indeed yes - thats what it is meant for. As Bitloker is a usefull thing on laptops. What we want is also disable our own users manipulate the installation by for example trying to use disk in another system they control or booting another os via usb and gain more access or whatever.

So I really would like to know if there is a similar way to have the key stored in tpm for decrypting root similar to solutions that exist to do that for luks2 encrypted systems. I also would not mind to eliminate grub if it is enough to boot the system from efi.

I never tried this, but it can be your solution: https://sr.ht/~nabijaczleweli/tzpfms/
The project say:

Essentially BitLocker, but for ZFS –a random raw key is generated and sealed to the TPM (both 2 and 1.x supported) with an additional optional password in front of it,tying the dataset to the platform and an additional optional secret (or to the posession of the back-up).

 

[Elleni]

It really sounds like THE solution, but its way over my head.

 

[Elleni]

Getting closer as I reinstalled Debian on ext4 with luks and cryptsetup using this guide, which also works fine, but does not ask for password anymore - just uses the tpm module for decryption. My next step will be to try out systemd-cryptenroll as it supports a pin to unlock the disk with a tpm password while not being dependent on dracut but staying with initramfs. Still would love to be able to acheive this whole setup with fully encrypted proxmox on zfs, but I need a working solution with tpm and password first.

 

[Elleni]

@moderators Can you please do me a favour and split the non relevant part of this thread in a new one, as my intention is not to polute this great guide which has the topic of full disk encryption with zfs? Thread title maybe full disk encryption by tpm2 stored key with additional password or pin.

 

[linisgre]

I'm new to proxmox (still learning the basics) but knew I really want zfs encryption on all datasets. So ideally just enabled on the pool and thus auto-enabled for all new datasets. As I was doing a fresh install, the steps in the initial post were a bit long for my taste, and I got to wonder why we can't make the installer set it up from scratch.

So if wanting to enable encryption from the start during installation matches your use-case:

1. Boot the installer in debug mode (either graphical or terminal, whatever you prefer)
2. On first stop, continue (typing exit).
3. On second stop, modify the installer code via vim /usr/share/perl5/Proxmox/Install.pm and in method zfs_create_rpool(line 206 for Proxmox 8.3.1):
   • change my $cmd = "zpool create -f -o cachefile=none"; to my $cmd = "zpool create -f -o cachefile=none -O encryption=on -O keylocation=prompt -O keyformat=passphrase";. Adjust as needed.
   • change syscmd("$cmd $pool_name $vdev") == 0 || die ...; to run_command("$cmd $pool_name $vdev", undef, "PASSWORD\nPASSWORD\n", 1) == 0 || die ...; (syscmd(cmd) maps to run_command(cmd, undef, undef, 1) with the 3rd parameter being the stdinput passed to cmd)
4. Continue (exit) and install as usual (you obviously need to select some ZFS variant for this to make sense).

On next boot, you will be prompted for password to decrypt rpool. You can check with zfs get -r encryption that everything is set up in order.

IMPORTANT: I do not know whether there is some log file of the install somewhere that may include the password, so just use something simple like PASSWORD for the setup and afterwards change it via zfs change-key rpool

 

[Digymkus]

I'm new to proxmox (still learning the basics) but knew I really want zfs encryption on all datasets. So ideally just enabled on the pool and thus auto-enabled for all new datasets. As I was doing a fresh install, the steps in the initial post were a bit long for my taste, and I got to wonder why we can't make the installer set it up from scratch.

So if wanting to enable encryption from the start during installation matches your use-case:

1. Boot the installer in debug mode (either graphical or terminal, whatever you prefer)
2. On first stop, continue (typing exit).
3. On second stop, modify the installer code via vim /usr/share/perl5/Proxmox/Install.pm and in method zfs_create_rpool(line 206 for Proxmox 8.3.1):
   • change my $cmd = "zpool create -f -o cachefile=none"; to my $cmd = "zpool create -f -o cachefile=none -O encryption=on -O keylocation=prompt -O keyformat=passphrase";. Adjust as needed.
   • change syscmd("$cmd $pool_name $vdev") == 0 || die ...; to run_command("$cmd $pool_name $vdev", undef, "PASSWORD\nPASSWORD\n", 1) == 0 || die ...; (syscmd(cmd) maps to run_command(cmd, undef, undef, 1) with the 3rd parameter being the stdinput passed to cmd)
4. Continue (exit) and install as usual (you obviously need to select some ZFS variant for this to make sense).

On next boot, you will be prompted for password to decrypt rpool. You can check with zfs get -r encryption that everything is set up in order.

IMPORTANT: I do not know whether there is some log file of the install somewhere that may include the password, so just use something simple like PASSWORD for the setup and afterwards change it via zfs change-key rpool

Thank you so much for this.

I combined your steps with these ones to create a custom image that doesn't require running the installer in debug mode and editing the files on the live system.

This is really something that should be available out of the box, given how clean and minimal the changes needed to get it working are.

 

[RolandK]

mind that zfs encryption is not ready for production usage

https://docs.google.com/spreadsheets/d/1OfRSXibZ2nIE9DGK6swwBZXgXwdCPKgp4SbPZwTexCg/htmlview

 

[mrmanuel]

I was also interested in encrypting my Proxmox VE nodes and found that there are many threads spread across this forum. It took me a lot of work to find everything I needed, so I thought it would be a good idea to collect everything in one how-to guide.

I published it on GitHub, so it can be easily maintained, and I will update it as I finish testing with different filesystems and disk configurations. I'm not an expert, so I'm open to any recommendations or improvements to help fresh Proxmox and Linux users: HOW TO - Encrypt complete Proxmox node with LUKS

 

[madshade]

I was also interested in encrypting my Proxmox VE nodes and found that there are many threads spread across this forum. It took me a lot of work to find everything I needed, so I thought it would be a good idea to collect everything in one how-to guide.

I published it on GitHub, so it can be easily maintained, and I will update it as I finish testing with different filesystems and disk configurations. I'm not an expert, so I'm open to any recommendations or improvements to help fresh Proxmox and Linux users: HOW TO - Encrypt complete Proxmox node with LUKS

I'm not sure why you didn't post a new thread with this as a tutorial instead of posting to other peoples threads. This would help provide people the opportunity to comment on the process and discuss.

Regardless, I gave this a shot last night and ran into issues after running "update-initramfs -u -k all", essentially the UUIDs were missing from /etc/kernel/proxmox-boot-uuids. I could have probably booted into a live cd or something to keep troubleshooting but decided to just blow away the install. I didn't lose anything of substance, but I'd recommend putting some troubleshooting steps or having a place people could post to troubleshoot if they run into issues.

 

[mrmanuel]

I posted it to some threads I found when searching on Google.

Thanks for the input. I will open a new thread in the forum and link it also in the README, so it's possible to discuss here in the forum as also on GitHub.