official full encryption support

PanZvedavy

Active Member
Dec 27, 2012
24
0
41
Hello,

are there any plans for official encryption support of proxmox installation aka support option in proxmox installer? Theres support for full encrypt setup in linux distributions for looong time. It wouldby nice to have that options directly in proxmox installer. With today procesors with aes instructions there will be 4-5% performance hit max.
Native encryption support in installator will also make proxmox unique because competitors doesnt have that feature.
So what do you thing about that proxmox team?
 
Hi,

What if you install just clean OS Debian 7 and turn on the encryption? Does that work?

Regards,
MeyRNL
 
No, it would not work. It must be integrated and fully supported option by proxmox on host-hypervisor level. Encryption of every individual guest inside its container is not way to deal with the problem.
 
I believe he's referring to doing a fresh install of debian 7 on the barebone host, using full system encryption in the debian installer options. Then adding Proxmox packages on top of that.
 
I believe he's referring to doing a fresh install of debian 7 on the barebone host, using full system encryption in the debian installer options. Then adding Proxmox packages on top of that.

Well barebone host is not supported scenario by proxmox team.
And its not only about adding encryption options to installer. Also adding encryption function set to web administration. When you add new storage, there should be a some encryption options. And this leads to function like ability to recognize new added storage and let users work with that storage in web interface...operations like formating, creating new fs etc.
One thing is sure, if there will be added options for full supported encryption setup, then this will give proxmox project huge advantage over competitors like vmware, xen etc. Im suprised, that Im first one who requesting this here.
 
Well barebone host is not supported scenario by proxmox team. And its not only about adding encryption options to installer. Also adding encryption function set to web administration. When you add new storage, there should be a some encryption options. And this leads to function like ability to recognize new added storage and let users work with that storage in web interface...operations like formating, creating new fs etc. One thing is sure, if there will be added options for full supported encryption setup, then this will give proxmox project huge advantage over competitors like vmware, xen etc. Im suprised, that Im first one who requesting this here.
Agreed. It absolutely needs GUI:s for different parts of the encryption. And for operations like formatting, creating fs etc. This is a paradox all linux users are familiar with =) Good thing is, sysadmins who use Proxmox are probably linux savvy and know how to get around. And getting full system encryption by installing debian 7 wheezy first, and then put on the Proxmox packages should not be hard. https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Wheezy I will do my first Proxmox install next week and I think that's the way I'll go. - debian wheezy full system encryption on the metal - Proxmox packages on top of debian - Open Media Vault VM - Pass through RAID card to OMV VM - Expose RAID via NFS to Proxmox - Proxmox uses RAID as data store
 
What are the advantages of Proxmox on Debian instead of Proxmox from the ISO?

I thought that Proxmox uses the Red Hat Kernel while everything else is Debian.
 
Hi,
You can configure your storage like you what!
 
At the moment we have no plane to implement this, but we will debate it.
 
Hi to all

Only as a comment, according to wikipedia:
A performance analysis using the Crypto++ security library showed an increase in throughput from approximately 28.0 cycles per byte to 3.5 cycles per byte with AES/GCM versus a Pentium 4 with no acceleration.

See the compatible processors with AES and more information here (as OpenSSL, VMware NSX Edge Services Gateway, Citrix XenClient 1.0 and above, etc.) http://en.wikipedia.org/wiki/AES_instruction_set

Best regards
Cesar
 
In my opinion proxmox team is forgetting all the users that are using it on third party providers like online.net & ovh.
Encrypting the filesystem first is not an easy task to do that on such scenarios.
I will not mind at all loosing 5% of performance to be more secure.
My current approach is to use third party solutions to encrypt each VM and the loss would be the same. (or even worst)
 
In my opinion proxmox team is forgetting all the users that are using it on third party providers like online.net & ovh.
Encrypting the filesystem first is not an easy task to do that on such scenarios.
I will not mind at all loosing 5% of performance to be more secure.
My current approach is to use third party solutions to encrypt each VM and the loss would be the same. (or even worst)

you can already install Proxmox on a full-disk encrypted Debian installation without problems. our installer is kept simple on purpose - if you need an advanced installer with all the bells and whistles, we always recommend the Debian installer.

as a side note, IMHO there is only one benefit of FDE on a remote server not under your control: you don't need to worry about the provider's disk recycling process. every other potential security benefit of FDE is only relevant if you consider your provider to be acting malicious, and in that case, you have no chance even with FDE (because physical access easily circumvents FDE, especially for always on systems without physical protection) and should probably run your own datacenter with physical security.
 
Hi Fabian,

All those providers do have physical access limitation, but I agree with you since FDE will make it more safe.
In reality I think the dedicated server providers should provide templates to install debian (or even proxmox) on an encrypted FDE as an setup option but that is not the case and making it after the OS is installed can be tricky. I've not seen such option on OVH or on online.net. Also on some situations you would probably will need to access IDRAC console (or similar) to put the password and this is not very efficient in my opinion.
I was thinking that adding encryption on the proxmox layer would the same as virtualbox does at the moment, where you can use it or not rather the FDE is in place or not.

Regards
embb
 
what does "adding encryption on the proxmox layer" mean? you can already encrypt any of the non-root storages with standard linux disk encryption (simply put dmcrypt between the storage and the actual block device). if you mean qemu's encryption support, that is something that might be included in the future, but it's a rather niche feature and does not look stable or complete yet in upstream qemu.
 
Yes, I was talking about the qemu layer in concrete that I understand is out of proxmox scope.
dmcrypt would work but just think would be a good solution to have luks activated on the initial OS install. I would not mind to install debian & then proxmox manually.
Think I'm going to send a message to my provider because think if they make a simple change on the setup template would be a lot easier for all.

Thanks
embb
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!