The Proxmox installer does not provide the ability to set up an encrypted root with ZFS, so Debian with an encrypted ZFS root needs to be installed first, then Proxmox will be added on top. This guide covers some of the caveats of doing so.
First, follow the excellent guide written here by the authors of ZFS to install Debian: https://openzfs.github.io/openzfs-docs/Getting Started/Debian/Debian Bookworm Root on ZFS.html
Disk layout for reference, they are created according to the ZFS guide:
DISK1:
- part1: MBR compatibility partition, not used.
- part2: EFI partition, FAT32 formatted.
- part3: ZFS boot partition, not encrypted
- part4: ZFS root partition, encrypted via ZFS native encryption.
DISK2:
- part1: MBR compatibility partition, not used.
- part2: EFI partition, FAT32 formatted.
- part3: ZFS boot partition, not encrypted
- part4: ZFS root partition, encrypted via ZFS native encryption.
A two disk mirror setup with ZFS native encryption was chosen, it is also possible to use LUKs encryption here. If you choose ZFS native encryption, the benefit is that the encryption will only have to be calculated once for both disks, whereas LUKs will require the data to be encrypted twice. The disadvantage of using ZFS native encryption is that Proxmox migration might not be available, as reported by others:
- https://forum.proxmox.com/threads/a...ion-of-disks-on-zfs-encrypted-storage.117227/
- https://forum.proxmox.com/threads/replication-migration-encrypted-zfs-datasets.70572/
Therefore, LUKs might be a better choice.
After vanilla Debian is able to boot, follow this guide here to add Proxmox on top of Debian, but DO NOT reboot yet: https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_12_Bookworm.
This is because the system failed to boot after multiple personal attempts after Grub got updated to use the version provided by the Proxmox repositories. The following quote provides a hint as to why:
But in essence, all that needs to be done is:
1. `echo "root=ZFS=rpool/ROOT/debian quiet" > /etc/kernel/cmdline`
2. `apt install systemd-boot`
3. `bootctl set-timeout 4` (Optional, to make debugging easier.)
4. Find the Grub bootloader ID via `efibootmgr`, then remove it: `efibootmgr -b <ID> -B`.
After the system successfully boots from systemd boot (the default label in NVRAM is "Linux Boot Manager"), follow the rest of https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_12_Bookworm, to get Proxmox running.
Lastly, in order to sync the boot partition across kernel updates, follow the guide here: https://pve.proxmox.com/wiki/Host_Bootloader. In essence:
1. `proxmox-boot-tool format <DISK2-part2>`
2. `proxmox-boot-tool init <DISK2-part2>`
Quite an involved process overall, but it does end with a usable system.
First, follow the excellent guide written here by the authors of ZFS to install Debian: https://openzfs.github.io/openzfs-docs/Getting Started/Debian/Debian Bookworm Root on ZFS.html
Disk layout for reference, they are created according to the ZFS guide:
DISK1:
- part1: MBR compatibility partition, not used.
- part2: EFI partition, FAT32 formatted.
- part3: ZFS boot partition, not encrypted
- part4: ZFS root partition, encrypted via ZFS native encryption.
DISK2:
- part1: MBR compatibility partition, not used.
- part2: EFI partition, FAT32 formatted.
- part3: ZFS boot partition, not encrypted
- part4: ZFS root partition, encrypted via ZFS native encryption.
A two disk mirror setup with ZFS native encryption was chosen, it is also possible to use LUKs encryption here. If you choose ZFS native encryption, the benefit is that the encryption will only have to be calculated once for both disks, whereas LUKs will require the data to be encrypted twice. The disadvantage of using ZFS native encryption is that Proxmox migration might not be available, as reported by others:
- https://forum.proxmox.com/threads/a...ion-of-disks-on-zfs-encrypted-storage.117227/
- https://forum.proxmox.com/threads/replication-migration-encrypted-zfs-datasets.70572/
Therefore, LUKs might be a better choice.
After vanilla Debian is able to boot, follow this guide here to add Proxmox on top of Debian, but DO NOT reboot yet: https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_12_Bookworm.
This is because the system failed to boot after multiple personal attempts after Grub got updated to use the version provided by the Proxmox repositories. The following quote provides a hint as to why:
The hypothesis here is that Proxmox's distribution of Grub for some reason does not supported an encrypted ZFS root or ZFS at all, therefore, systemd's boot loader must be used instead. Follow this guide here to install systemd boot to the system: https://blog.bofh.it/debian/id_465.
But in essence, all that needs to be done is:
1. `echo "root=ZFS=rpool/ROOT/debian quiet" > /etc/kernel/cmdline`
2. `apt install systemd-boot`
3. `bootctl set-timeout 4` (Optional, to make debugging easier.)
4. Find the Grub bootloader ID via `efibootmgr`, then remove it: `efibootmgr -b <ID> -B`.
After the system successfully boots from systemd boot (the default label in NVRAM is "Linux Boot Manager"), follow the rest of https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_12_Bookworm, to get Proxmox running.
Lastly, in order to sync the boot partition across kernel updates, follow the guide here: https://pve.proxmox.com/wiki/Host_Bootloader. In essence:
1. `proxmox-boot-tool format <DISK2-part2>`
2. `proxmox-boot-tool init <DISK2-part2>`
Quite an involved process overall, but it does end with a usable system.
Last edited: