Proxmox Encryption Setup with LUKS Partition

[TrueMox]

Hello,

I have a small home server with an Intel CPU (i7-1260P), 64 GB DDR4 RAM and 3x M.2 SSDs. So far, I have not used Proxmox because I do not want to run my server without encryption, and unfortunately, Proxmox does not offer encryption. However, I only want to encrypt certain VMs. Specifically, those that contain sensitive data, to protect myself from a physical attack. Now, I have devised a solution with Proxmox and would like to present it to you and ask if this is possible with Proxmox.

Initially, I am planning to operate only 2 VMs. One VM with Pi Hole and another VM with my Nextcloud. I do not want to encrypt Proxmox itself, so that Proxmox can restart by itself after a crash or reboot without me having to enter a password. The Pi Hole VM should also be able to restart without my intervention. The Nextcloud VM should be completely encrypted, and it is okay if I need to remotely access the system to decrypt this VM.

My plan is as follows: I install Proxmox on SSD 1. Then I create two partitions on SSD 2. One partition is unencrypted and will be used for all VMs that do not require encryption. The other partition is encrypted with LUKS and is where all VMs that need to be encrypted will be stored. Is this easily doable, or will Proxmox not be able to handle an encrypted partition? Then I would start my server, Proxmox starts automatically, and the Pi Hole VM as well. After that, I remote into the system and enter the password for the LUKS encrypted partition. Then I log into Proxmox and start the Nextcloud VM.

Backup: I also want to create backups. These should then be stored on SSD 3. But of course, there also need to be two partitions there. An unencrypted and an encrypted one. I can choose where the backups are stored when setting up the backup jobs. For the Pi Hole VM, I would then select the unencrypted partition through Proxmox, and for the Nextcloud VM, I would choose the encrypted partition.

Somehow, this seems too simple to me. Have I made any logical errors?

Thank you in advance and best regards

 

[Dunuin]

So far, I have not used Proxmox because I do not want to run my server without encryption, and unfortunately, Proxmox does not offer encryption.

It supports even full system encryption via ZFS native encryption or LUKS. But you have to do that on your own.

I do not want to encrypt Proxmox itself, so that Proxmox can restart by itself after a crash or reboot without me having to enter a password.

Then keep in mind that you might leak sensitive data. LXC logs containing sensitive informations can end up on the unencrypted root filesystem. And that sensitive data will be stored in RAM and might then be swapped out to the unencrypted swap partition.

Is this easily doable, or will Proxmox not be able to handle an encrypted partition?

You will have to manually mount it. After mounting it, it works just fine.

 

[TrueMox]

Then keep in mind that you might leak sensitive data.

I am ware of this, thanks.

So my setup is good and you don't have any other concerns? Then I will migrate to Proxmox in few days.

Maybe any other tips?

 

[czechsys]

Proxmox will wait on boot because it will want to mount/enable encrypted partitions. You will need to use some customization in fstab/systemd to override such workflow for manual unlock.

 

[TrueMox]

Proxmox will wait on boot because it will want to mount/enable encrypted partitions.

Oh... so Proxmox will not boot and the Pi Hole VM also, until I entered all keys for the partitions. This is not good. And I am not sure if I am able to adjust my system settings to bypass this.

 

[TrueMox]

Can someone confirm, that Proxmox is not booting, when there is a luks encrypted partition?

 

[esi_y]

Can someone confirm, that Proxmox is not booting, when there is a luks encrypted partition?

This is your home server, you wrote. Then protect from physical attack. Expecting SWAT team? I mean, really - what is the protection against in the sense that ... are you concerned about having unencrypted data laying around when you e.g. need to RMA a failed drive or are you concerned someone getting physically hold of your unencrypted data at rest in that location?

You can encrypt everything, or some of the things, of course if you do not encrypt PVE partition it will start up, if it does not find underlying partitions for some of your VMs, then they can't be started (till you LUKS open them manually). The easiest would be to set those not to auto-start to begin with.

Maybe have a look at the tutorial posted not too long ago:
https://forum.proxmox.com/threads/adding-full-disk-encryption-to-proxmox.137051/

Or this lengthy thread, veering off LUKS quite a bit, but well, helpful if you were to manually install on LUKS:
https://forum.proxmox.com/threads/proxmox-8-luks-encryption-question.137150/

I'd rather install it fully encrypted and have it auto unlock from passphrase on a USB drive (which I can easily remove) and it protects from threats like RMA technician getting access to your data. Because as @Dunuin said all correctly above in a nutshell .. you will be leaking data .. and you can selectively turn on ZFS dataset encryption, per dataset.

 

[esi_y]

Proxmox will wait on boot because it will want to mount/enable encrypted partitions. You will need to use some customization in fstab/systemd to override such workflow for manual unlock.

Oh so this is why the question @TrueMox - don't worry, you can definitely have PVE start up if it's set up on unencrypted root. Unless you mess up yout crypttab, in which case you just have to fixit.

Btw this is pretty generic Debian or rather LUKS question. PVE does not really have much to do with it. Other than that if there's no mounted volume for a VM to start, it won't, if there's no target volume for replication, it would fail. Just like you want it, after all.

 

[TrueMox]

Great, thank you for the input! I think I will try it in few days.