Want to switch from Truenas to Proxmox - few questions

[Gunaka]

Hi, Truenas is not really working good for me. So I want to switch to Proxmox. I just want to run 2 VMs, one Pi Hole one Nextcloud.

Question 1: I want to encrypt my Nextcloud VM. On Truenas its easy. But Proxmox do not support encryption? And I only want encryption for the Nextcloud VM. Because when Proxmox restart, then the DNS server is always working again, without entering the encryption key. I mean the Pi Hole VM. What is the best way to encrypt my Nextcloud VM?

Question 2: Can i create backups of each VM on a external drive? I will have 3 M.2 PCIe drives in my server. One for Proxmox System, one for VMs and one for Backups. Or should I have the data of the VMs on the same drive as the Proxmox System?

Thank you very much!

 

[Gunaka]

And maybe someone have an answer, why Proxmox won't have an encryption feature? Encryption is very important.

 

[Dunuin]

Question 1: I want to encrypt my Nextcloud VM. On Truenas its easy. But Proxmox do not support encryption? And I only want encryption for the Nextcloud VM. Because when Proxmox restart, then the DNS server is always working again, without entering the encryption key. I mean the Pi Hole VM. What is the best way to encrypt my Nextcloud VM?

PVE isn't officially supporting any encryption. You basically got three option:
1.) Encrypt your nextcloud from inside the guestOS. Then PVE hasn't anything todo with it. (I probably would prefer that)
2.) In case ZFS is used on the host you could create an encrypted dataset and add a new ZFS storage. Virtual disks stored on that additional ZFS storage then would inherit the encryption.
3.) Use something like LUKS on the PVE host for encryption.

But in my opinion it doesn't make much sense to only encrypt individual guests. Full system encryption is always preferable if you actually want to secure your data without leaking sensitive data. Without an encrypted root filesystem log messages from an encrypted LXC could end up on the unencrypted root filesystem of the PVE host. And data of your encrypted VM will be stored unencrypted in the volatile RAM. This alone wouldn't be a big problem, as the RAM would be wiped on a poweroff. Problematc is swapping, when your sensitive data gets swapped out from RAM to the unencrypted persistent swap partition.

Question 2: Can i create backups of each VM on a external drive?

Yes.

I will have 3 M.2 PCIe drives in my server. One for Proxmox System, one for VMs and one for Backups. Or should I have the data of the VMs on the same drive as the Proxmox System?

Would be fine to store system + guests on the same disk. No need for 3 disks.

And maybe someone have an answer, why Proxmox won't have an encryption feature? Encryption is very important.

Looks like most people don't think so as barely no one is using it while its already possible.
One thing that could make it difficult is that PVE is supporting a lot of different storages and its hard to implement a new feature that will only work with specific types of storages.
And there are a lot of limitations...
For example when using ZFS native encryption you won't be able to migrate any guests. This is an upstream limitation and OpenZFS encryption developement isn't very active so nothing is happening...