PVE6 - How to setup encrypted ZFS

Jul 25, 2019
Hi @ll,

i'm installing my new Proxmox Server. My Plan is to have a fully encrypted System (i had similar Setups before with Debian 6-10 & Xen & Encrypted LVM).
Proxmox 6 is already running with encrypted lvm on a 3ware Raid 1 with SSD's (similar partition scheme as the default Installer does, with lv for root and lv for "local-lvm" with lvm-thin).

For the Container, VM's and Data, i have 8 SAS Harddisks on a HBA Controller.

Now i want to have encrypted ZFS (raidz3) on these Disks. What i have read in the last few days, there are 2 Options:

Option 1 is, to encrypt all 8 disks separately with LUKS an make the ZFS over the unlocked crypto-disks.

Option 2 is, to use the native encryption ZoL brings since Version 0.8.x and encyrpt the whole zpool.

I would prefer Option 2, but i am interested in what you would suggest and also, how to set this up, since there is not much information regarding Proxmox and ZFS Encryption (i know the wiki article).

For unlocking the LUKS Disks or the native ZFS Encryption, i would use a Keyfile stored in /root, this should
be no Problem because /root is on the encyrpted lvm mentioned above.

Thanks for your tipps.

Best regards

P.S.: I also have a TPM Module installed in the Server. Does it make sense to use it to protect the Keyfile? And if so, how?
you can simply test your setup in a VM and play around with various scenarios.

native encryption in ZFS is still fairly new, and especially the integration for unlocking at boot is still a bit rough around the edges. if you know your way around systemd, it is easy enough to add the key loading at the proper point in the startup sequence though. you can protect your keyfile in whatever fashion you want, but you need to pass the plain-text content to 'zfs load-key' at some point ;)


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!