Hi @ll,
i'm installing my new Proxmox Server. My Plan is to have a fully encrypted System (i had similar Setups before with Debian 6-10 & Xen & Encrypted LVM).
Proxmox 6 is already running with encrypted lvm on a 3ware Raid 1 with SSD's (similar partition scheme as the default Installer does, with lv for root and lv for "local-lvm" with lvm-thin).
For the Container, VM's and Data, i have 8 SAS Harddisks on a HBA Controller.
Now i want to have encrypted ZFS (raidz3) on these Disks. What i have read in the last few days, there are 2 Options:
Option 1 is, to encrypt all 8 disks separately with LUKS an make the ZFS over the unlocked crypto-disks.
Option 2 is, to use the native encryption ZoL brings since Version 0.8.x and encyrpt the whole zpool.
I would prefer Option 2, but i am interested in what you would suggest and also, how to set this up, since there is not much information regarding Proxmox and ZFS Encryption (i know the wiki article).
For unlocking the LUKS Disks or the native ZFS Encryption, i would use a Keyfile stored in /root, this should
be no Problem because /root is on the encyrpted lvm mentioned above.
Thanks for your tipps.
Best regards
P.S.: I also have a TPM Module installed in the Server. Does it make sense to use it to protect the Keyfile? And if so, how?
i'm installing my new Proxmox Server. My Plan is to have a fully encrypted System (i had similar Setups before with Debian 6-10 & Xen & Encrypted LVM).
Proxmox 6 is already running with encrypted lvm on a 3ware Raid 1 with SSD's (similar partition scheme as the default Installer does, with lv for root and lv for "local-lvm" with lvm-thin).
For the Container, VM's and Data, i have 8 SAS Harddisks on a HBA Controller.
Now i want to have encrypted ZFS (raidz3) on these Disks. What i have read in the last few days, there are 2 Options:
Option 1 is, to encrypt all 8 disks separately with LUKS an make the ZFS over the unlocked crypto-disks.
Option 2 is, to use the native encryption ZoL brings since Version 0.8.x and encyrpt the whole zpool.
I would prefer Option 2, but i am interested in what you would suggest and also, how to set this up, since there is not much information regarding Proxmox and ZFS Encryption (i know the wiki article).
For unlocking the LUKS Disks or the native ZFS Encryption, i would use a Keyfile stored in /root, this should
be no Problem because /root is on the encyrpted lvm mentioned above.
Thanks for your tipps.
Best regards
P.S.: I also have a TPM Module installed in the Server. Does it make sense to use it to protect the Keyfile? And if so, how?
