store PBS encryption key only in RAM

[attowdc]

Hi,
I have a setup on which I can't trust the physical security of the hardware, therefore I need to encrypt all critical data, backups are encrypted and ZFS disks are encrypted too, but not the root fs of the PVE nodes.
My problem is that the encryption key of the PBS storage is stored on the root partition and therefore lies unencrypted on disk
Is there a way to encrypt that information and decrypt it only on node startup ?
It seems to be part of the pmxcfs, but I don't know where the information in the pmxcfs is stored when the node is off
Thanks a lot =)

 

[aaron]

It seems to be part of the pmxcfs, but I don't know where the information in the pmxcfs is stored when the node is off

https://pve.proxmox.com/pve-docs/chapter-pmxcfs.html

The backing sqlite file is in /var/lib/pve-cluster/config.db.

If you need the root disk to be encrypted as well, you might want to consider first setting up a naked Debian with the encryption scheme you see fit, and installing PVE on top https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_install_proxmox_ve_on_debian

 

[attowdc]

Hmm, I'd like to avoid having the root fs encrypted as much as possible, I still have some VMs that hold non critical data that need to boot up immediatly (those are on unencrypted partitions), the best way to do this would be to have just the backup storage disable untill an administrator enters a password to decrypt the key (that would also be a handy feature for encrypted partitions) but I don't know if that is planned to be implemented