[TUTORIAL] Native full-disk encryption with ZFS

Thanks for your answer and indeed yes - thats what it is meant for. As Bitloker is a usefull thing on laptops. What we want is also disable our own users manipulate the installation by for example trying to use disk in another system they control or booting another os via usb and gain more access or whatever.

So I really would like to know if there is a similar way to have the key stored in tpm for decrypting root similar to solutions that exist to do that for luks2 encrypted systems. I also would not mind to eliminate grub if it is enough to boot the system from efi.
 
Last edited:
Elleni said:
Thanks for your answer and indeed yes - thats what it is meant for. As Bitloker is a usefull thing on laptops. What we want is also disable our own users manipulate the installation by for example trying to use disk in another system they control or booting another os via usb and gain more access or whatever.

So I really would like to know if there is a similar way to have the key stored in tpm for decrypting root similar to solutions that exist to do that for luks2 encrypted systems. I also would not mind to eliminate grub if it is enough to boot the system from efi.
Click to expand...
I never tried this, but it can be your solution: https://sr.ht/~nabijaczleweli/tzpfms/
The project say:
Essentially BitLocker, but for ZFS –a random raw key is generated and sealed to the TPM (both 2 and 1.x supported) with an additional optional password in front of it,tying the dataset to the platform and an additional optional secret (or to the posession of the back-up).
Click to expand...
 
  • Like
Reactions: UdoB
Getting closer as I reinstalled Debian on ext4 with luks and cryptsetup using this guide, which also works fine, but does not ask for password anymore - just uses the tpm module for decryption. My next step will be to try out systemd-cryptenroll as it supports a pin to unlock the disk with a tpm password while not being dependent on dracut but staying with initramfs. Still would love to be able to acheive this whole setup with fully encrypted proxmox on zfs, but I need a working solution with tpm and password first. :)
 
Last edited:
@moderators Can you please do me a favour and split the non relevant part of this thread in a new one, as my intention is not to polute this great guide which has the topic of full disk encryption with zfs? Thread title maybe full disk encryption by tpm2 stored key with additional password or pin.
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom