Proxmox Encryption

Chris Welber

New Member
Mar 14, 2016
28
2
3
59
I'm trying to discover what types of encryption options are available in Proxmox 4.2.x. I have it setup, and I am wondering what options for encrypting volumes are available. If I've already done the base install can I encrypt the data volume after the fact?

I also noticed that the setup created a 100 gig root partition by default and then the rest of disk was used to create an large data volume, this seemed to happen by default on the ISO disk install routine.

Another question I have is can I do encrypted volumes when setting up clustering between two promox servers and are there recommended minimums for hardware and switches (i.e. 10 gig switch recommended, etc.).

Thanks,
 
you can enable full disk encryption for the root disk by installing with the Debian Jessie installer and installing Proxmox afterwards. be aware of the performance overhead though. if you have separate storage pools/volumes/disks, you can encrypt those manually (for example with dm-crypt/LUKS) and use whatever storage technology on top - but again, be aware that this will most likely affect performance.

there are some volume-encryption related features in the new Qemu 2.6 release, but I have not looked at them yet - not sure whether they are useful or how much integration we will offer for that..
 
  • Like
Reactions: kwinz
Fabian is correct, yet there is no encryption overhead if you have a recent (>5 years) old CPU, which normally includes hardware assisted encryption which is used by cryptsetup/luks automatically.
 
this might qualify as nitpicking, but there sure is. you might not notice it for your given workload and hardware setup (i.e., it's probably in the low single-digit percent range), but directly writing to disk is always faster than having another layer of device mapping and AES inbetween (even if AES is hardware/CPU accelerated).
 
Yeah, you're right .... I just gave the same reason (too many layers) in another thread about another topic.

My main point was the hardware part, which WAS a BIG overhead.
 
there are some volume-encryption related features in the new Qemu 2.6 release, but I have not looked at them yet - not sure whether they are useful or how much integration we will offer for that..

I would really like to see Proxmox support the new LUKS driver in Qemu 2.6.
My understanding is that it only works with RAW format but in the future is likely to work with all formats.

Seems like everyone is wanting data encrypted 'at rest' and this would be a really simple way for people to accomplish that.
 
The simpelst way is full disk encryption which can already be done easily if you install Debian Jessie first and then update to Proxmox 4.2. Its installer is capable of installing on fully encrypted disk.
 
I would really like to see Proxmox support the new LUKS driver in Qemu 2.6.
My understanding is that it only works with RAW format but in the future is likely to work with all formats.

Seems like everyone is wanting data encrypted 'at rest' and this would be a really simple way for people to accomplish that.

I'll take a look at it - seems like an interesting feature. No promises yet though ;)
 
you can enable full disk encryption for the root disk by installing with the Debian Jessie installer and installing Proxmox afterwards. be aware of the performance overhead though. if you have separate storage pools/volumes/disks, you can encrypt those manually (for example with dm-crypt/LUKS) and use whatever storage technology on top - but again, be aware that this will most likely affect performance.

there are some volume-encryption related features in the new Qemu 2.6 release, but I have not looked at them yet - not sure whether they are useful or how much integration we will offer for that..
I'm lost a bit here and would like to ask for clarification. What I am looking at is installing proxmox and using ZFS but if I install debian first it'll only install onto 1 disk or onto a software raid but I mean to use ZFS for creating a striped mirror.
Is that somehow possible?
 
Yes, you're right. You cannot and probably will never install a stock Debian onto ZFS due to licensing issues with the stock Debian Installer.

You can, however, install an ordinary PVE on ZFS, install cryptsetup on top and fix the setup to boot from the encrypted device. Afterwards boot a Live Linux with, store the blockdevice somewhere, encrypt the partition, mount it and restore the blockdevice. Afterwards fix the crypttab, boot and cross fingers.
This works perfectly, yet involves tinkering and a lot of deep Linux knowledge. I've done it a couple of times and it's best to "get experience" inside of a VM in which you can revert to previous stages more easy. I also have working fully-encrypted PVE systems installed inside of PVE with working, encrypted ZFS mirroring to be able to copy the virtual disks to other physical system and kickstart their provisioning. (Yes, I know the drawbacks concerning using the same encryption keys etc.).

If you want to have a root-server with fully encrypted disks, you need to patch the initrd to have a login SSH server to put in your password. There is also some discussion here on the forums about this.
 
  • Like
Reactions: Ovidiu
But it might be easier to install PVE to a small unencrypted disk and then encrypt the storage where data and vms are being stored. I'll have a LUKS device for each disk, the unlocked device mapper devices then are forming a ZFS device, so it's ZFS on top of LUKS
 
  • Like
Reactions: Ovidiu
But it might be easier to install PVE to a small unencrypted disk and then encrypt the storage where data and vms are being stored. I'll have a LUKS device for each disk, the unlocked device mapper devices then are forming a ZFS device, so it's ZFS on top of LUKS
Ok, so say I have 5 disks, I install PVE on1 disk, then create a LUKS device for each of the 4 other disks will I then be able to use ZFS to create a raid out of these 4 disks or am I losing some of ZFSs functionality since it is not accessing the underlying HDs directly?
Also, am I right in assuming that after a restart I need to type in the password to decrypt this encrypted storage?
 
Ok, so say I have 5 disks, I install PVE on1 disk, then create a LUKS device for each of the 4 other disks will I then be able to use ZFS to create a raid out of these 4 disk

Unfortunately, there is no fault tolerance. If you don't mind a slightly unsupported system, just use two small partitions for another software raid (e.g. ZFS on partitions or mdadm) and install PVE there. I've such a setup and it works fine.

am I losing some of ZFSs functionality since it is not accessing the underlying HDs directly?

No, bit-rot is also on there and everything else too.

Also, am I right in assuming that after a restart I need to type in the password to decrypt this encrypted storage?

Yes, and you should not store the password on the server, obviously :-D
I have an Icinga event handler which monitors and decrypted the data from a remote location.