Need help installing Proxmox with automatic decryption and multiple drives

LnxBil said:
Assuming you have auto-unlock enabled for your system, because that was the use case you described:
What would prevent an attacker for just overriding the boot argument with e.g. init=/bin/bash and booting right in your decrypted OS or just doing what your current initrd is doing and injecting what he wants? That is one of the known attack vectors in a physical access scenario. What about DMA-based attacks? Also very easy doable in the scenario with physical access. What about a cold-boot attack?

TPM should be used with additional authentication in order to mitigate those issues or you should offload the encrypted disk description to another machine so that an attacker with physical access will not be able to encrypt it.
Click to expand...
Whatever man, if the crackhead that breaks in and steals my machine is able to use one of those attacks - he can have the family photos. He's earned them.

Now, if I were storing nuclear launch codes it'd be a different story.
 
I was also interested in encrypting my Proxmox VE nodes and found that there are many threads spread across this forum. It took me a lot of work to find everything I needed, so I thought it would be a good idea to collect everything in one how-to guide.

I published it on GitHub, so it can be easily maintained, and I will update it as I finish testing with different filesystems and disk configurations. I'm not an expert, so I'm open to any recommendations or improvements to help fresh Proxmox and Linux users: HOW TO - Encrypt complete Proxmox node with LUKS
 
needzfshlp said:
I'm trying to install Proxmox on a server that is going to be running Home Assistant, a security camera NVR setup and other sensitive data, I need to have the drives be encrypted with automatic decryption of drives so the VMs can automatically resume after a power failure.

# My desired setup:

* 2 Sata SSDs boot drives in a ZFS mirror
* 1 NVME SSD for L2ARC and VM storage
* 3 HDDs in a RAIDz1 for backups and general large storage
* 1 (maybe more added later) HDD for Camera NVR VM.

I'd prefer every drive encrypted with native ZFS encryption automatically decrypted by either TPM 2.0 or manually by a passphrase if needed as a backup.

# Guide I found:

I found a general guide on how to do something similar but it honestly went over my head (I'm still learning) and didn't include much information about additional drives: Proxmox with Secure Boot and Native ZFS Encryption


If someone could adapt that post into a more noob friendly guide for the latest Proxmox version, with directions for decryption of multiple drives, that would be amazing and I'm sure it would make an *excellent* addition to the Proxmox wiki ;)

# My 2nd preferred setup:

* 2 Sata SSDs boot drives in a ZFS mirror with LUKS encryption and automatic decryption with clevis.
* All other drives encrypted using ZFS native encryption with ZFS key (keys?) stored on LUKS boot drive partition.


With this arrangement, every drive could be encrypted at rest and decrypted on boot with native ZFS encryption on most drives but has the downsides of using LUKS on ZFS for the boot drives.


Is storing the ZFS keys in a LUKS partition insecure in some way? Would this result in undecryptable drives if something happened to ZFS keys on the boot drive or can they be also decrypted with a passphrase as a backup?


As it stands right now, I'm really stuck trying to figure this out so any help or well written guides are heavily appreciated. Thanks for reading!
Click to expand...
Just add this line to cron:
Code: 
@reboot /usr/sbin/zfs load-key -a
 
You must log in or register to reply here.
Top Bottom