Ways to launch a Container or VM after ZFS has been unlocked / mounted

Z

ZakMcRofl

New Member
Nov 15, 2022
2
0
1
Hi all,
I'm new to Proxmox.
My setup has an unencrypted main drive and encrypted ZFS filesystems that need to be unlocked after boot.
I was wondering if there is a recommended way to launch a VM/Container that requires data from zfs only after the ZFS has been (manually) mounted.

My rough ideas:
- Put the VM/Container directly on the ZFS and try to make the OS start it once mounted (some kind of post-mount script?)
- Make the VM/Container launch immediately from the main drive but somehow delay actual operating until the mounting has occured

I can probably hack together either option but was wondering if there is a more canonical way to achieve this without dirty hacks.
Any ideas would be greatly appreciated.
 
For additional security, I use full system encryption. The system disk is also fully encrypted using a passphrase and when booting I unlock the root filesystem using SSH (but physical console or IPMI webKVM would also be possible). All other ZFS pools storing the guests are also encrypted using key files which are stored on that encrypted root filesystem. And an encrypted ZFS pool using key files will be automatically unlocked before the guests are autostarted. So all I need to do is to copy-paste my passphrase once using SSH before I boot my PVE.

This is in my opinion the most secure+comfortable way to unlock PVE. Also keep in mind that PVE will store logs of your LXCs and caches out guests data in swap which might leak your encrypted data to an unencrypted disk when not using full system encryption.

But if you really want to do it your way (might have it benefits in some situations, for example if you want your pools only unlocked for a short time when you really need to access those VMs, so it stays locked as long as possible) you will need to script something. I would disable autostart of those VMs, then autorun a script when logging in through SSH that will ask you for the passphrase, unlocks the pool with it ("zfs load-key" and "zfs mount" commands) and then start the VMs ("qm start" and "pct start" commands).
 
Last edited:
Interesting, I had briefly thought about fully requesting the password before anything starts like you seem to be doing it but I felt that full disk encryption is something proxmox doesn't really offer with their installer, unless I missed it. Using SSH to unlock root would be fine by me. Could you elbatorate on how you encryted your system disk? I would rather not start over
 
ZakMcRofl said:
Interesting, I had briefly thought about fully requesting the password before anything starts like you seem to be doing it but I felt that full disk encryption is something proxmox doesn't really offer with their installer, unless I missed it. Using SSH to unlock root would be fine by me. Could you elbatorate on how you encryted your system disk? I would rather not start over
Click to expand...
The installer doesn't support it. But you can make it encrypted later. there are two options:
1.) Install a Debian 11 where the Debian installer supports LUKS encrypted LVM (and mdadm if you want software raid) and then install the dropbear-initramfs and proxmox-ve packges ontop of that, converting your encrypted Debian into a enrypted PVE: https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_11_Bullseye
https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/

2.) Install PVE with ZFS using the PVE installer and then follow this guide:
https://forum.proxmox.com/threads/encrypting-proxmox-ve-best-methods.88191/#post-387731
 
You must log in or register to reply here.
Top Bottom