[SOLVED] Recommend way for encryption

I have been testing/using native zfs encryption on my root pool on a single node install and is has been working flawlessly. Though I did not setup remote unlock on this install as it is a laptop with a DE also installed so I have a built in keyboard, mouse and monitor for unlocking the boot pool. I also have a second drive in the system for storing VMs, backups and ISO images and it too is encrypted and uses a key file stored on the boot drive to unlock, which is done automatically at boot.
 
Dunuin said:
Whole system. In case you want to use swap, make sure to also encrypt that with LUKS to not leak sensitive data.
By default, when using ZFS, PVE won't create any swap partition and you shouldn't use a zvol or swap file on a dataset. So if you want to use swap, you best tell the installer to keep some disk space unallocated so you could later manually partition it and create your LUKS encrypted swap partition.


Systemd service. See for example here: https://wiki.archlinux.org/title/ZFS#Unlock/Mount_at_boot_time:_systemd


Yes, thats true. Broke that initramfs already two times (need patches to add VLAN/bond capabilities to initramfs so unlocking works when using tagged VLAN or LACP bonds) and it is very annoying to boot a rescue disk, chroot into PVE to be able to fix the initramfs configs to then rebuild the initramfs.
Click to expand...
Hi i stumbled over this comment on debugging what's going on.
I try proxmox the first time and want to install it on a full encrypted disk (LUKS/cryptsetup) and want to unlock it remote...
And unlocking via ssh/dropbear does not work.

I configured it as tutorials (f.e. https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/) say.

The prompt on the machine itself shows a configured ip, gw and netmask, as i set in initramfs.conf, but there is no route to host.
Additionally i set the ip,gw and netmask also in kernel-parameter in grub... no way to host.

I'm running it on a new zimablade. And i played around a lot with this device. So i installed pure debian bookworm also, and there dropbear unlocking from remote works with this settings out of the box.

Now i have a dual-boot system debian bookworm minimal from netinstall and proxmox on another partition.

Pure debian is decryptable via ssh, proxmox not.

I even can not ping the proxmox, when it stuck in initramfs to decrypt the luks-partition. Ping works from the moment, initramfs is finished and the system starts.

When i read the arp-cache wen proxmox stuck in initramfs i can not get a mac-address. The ip address is recognized, but no mac.

Do you have an idea, what happens here?

thank you

Jakob
 
e071cddf said:
Hi i stumbled over this comment on debugging what's going on.
I try proxmox the first time and want to install it on a full encrypted disk (LUKS/cryptsetup) and want to unlock it remote...
And unlocking via ssh/dropbear does not work.

I configured it as tutorials (f.e. https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/) say.

The prompt on the machine itself shows a configured ip, gw and netmask, as i set in initramfs.conf, but there is no route to host.
Additionally i set the ip,gw and netmask also in kernel-parameter in grub... no way to host.

I'm running it on a new zimablade. And i played around a lot with this device. So i installed pure debian bookworm also, and there dropbear unlocking from remote works with this settings out of the box.

Now i have a dual-boot system debian bookworm minimal from netinstall and proxmox on another partition.

Pure debian is decryptable via ssh, proxmox not.

I even can not ping the proxmox, when it stuck in initramfs to decrypt the luks-partition. Ping works from the moment, initramfs is finished and the system starts.

When i read the arp-cache wen proxmox stuck in initramfs i can not get a mac-address. The ip address is recognized, but no mac.

Do you have an idea, what happens here?

thank you

Jakob
Click to expand...
I tried now a little bit.
added init=/bin/sh at the end of the kernel line and removed the quiet.

In debian i can see, dropbear is started an waits for the login from ssh. When i unlock the disk from remote, dropbear stops and i get a shell-prompt.

In proxmox i get the shell-prompt directly. Dropbear is under /sbin/dropbear, but i can not even start it manually.
cryptroot-unlock is not found, when i try to start it from the shell.
 
I'm very new on proxmox... so i had troubles with the network-setup on top of pure debian... could not connect to my virtual machines...
so i tried proxmox install iso... there it worked out of the box... but dropbear not... :(
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back