ZFS pool and encryption

macamba

Active Member
Mar 8, 2011
37
0
26
A few questions on ZFS pool creation and encryption. I read the instructions on encryption but I am not sure about the tank/encrypted_data part in the wiki. So better ask.
1) To create the pool I issued 'zpool create -f -o ashift=12 zroot mirror sda sdb -m /mnt/zroot'. I added -m /mnt/zroot since I want the pool mounted in /mnt and not in / (root)

2) For encrypting the pool I plan to issue: 'zfs create -o encryption=on -o keyformat=passphrase zroot/'.
The wiki says 'tank/encrypted_data'. I assume tank is the used pool name in the wiki?
Actually I want to encrypt everthing, but it doesn't accept 'zroot/' . Is that possible or do I have to create a folder like 'zroot/encrypted_data'?

3) Issue: 'pvesm add zfspool encrypted_zfs -pool zroot/encrypted_data'

4) Load encrypted pool: 'zfs load-key zroot/encrypted_data'

Are these steps correct? The pool is by the way used for storage of data and possible VM's and containers. Proxmox runs from M2 SSD and I plan to add another SSD for caching and logging later on.

UPDATE:
I tried the above so with 'zroot/encrypted_data' instead of 'zroot/' for now and put a test file in the 'encrypted_data' folder. The strange thing is I can still read the file after reboot without reloading the encrypted pool by entering the password ? Is that normal? How can I than test whether the encryption is working without putting the disks in a different computer?
 
Last edited:

wolfgang

Proxmox Staff Member
Staff member
Oct 1, 2014
5,364
361
103
Hi,
To create the pool I issued 'zpool create -f -o ashift=12 zroot mirror sda sdb -m /mnt/zroot'. I added -m /mnt/zroot since I want the pool mounted in /mnt and not in / (root)
the default mount point is not '/'(root) it is the name of the pool.
So in your case '/zroot'.

The wiki says 'tank/encrypted_data'. I assume tank is the used pool name in the wiki?
Yes, this is correct.

Actually I want to encrypt everthing, but it doesn't accept 'zroot/' . Is that possible or do I have to create a folder like 'zroot/encrypted_data'?
This is no folder it is a Dataset.
You can encrypt a dataset only at creation time and it is not changeable later.

The strange thing is I can still read the file after reboot without reloading the encrypted pool by entering the password ?
What you can read?
 

macamba

Active Member
Mar 8, 2011
37
0
26
Hi,

the default mount point is not '/'(root) it is the name of the pool.
So in your case '/zroot'.


Yes, this is correct.


This is no folder it is a Dataset.
You can encrypt a dataset only at creation time and it is not changeable later.


What you can read?
I can read the text file in the encrypted_data data set.

But let me ask the question differently.

1) Do I have to create data sets on the pool? Or is the pool ‘zroot’ in my case directly suitable for storage of files?

2) Can I encrypt the pool entirely?
 

wolfgang

Proxmox Staff Member
Staff member
Oct 1, 2014
5,364
361
103

macamba

Active Member
Mar 8, 2011
37
0
26
Yes, you have to create a dataset on this pool and encrypt this.


No
Thanks, I think I am getting closer to understand. So also for unencrypted data I need to create datasets. The hierarch is as follow:
- Disks
- Pool
- Dataset
- Files and folders

Correct?

Additionally, how does it come I don’t have to enter password when rebooting system? The files in encrypted_data are straight way readable unencrypted?
 

wolfgang

Proxmox Staff Member
Staff member
Oct 1, 2014
5,364
361
103
- Disks
- Pool
- Dataset
- Files and folders

Correct?
Correct but in case of KVM images the datasets are zvols (blockdev).
And files and folders are in the emulated blockdev.

Additionally, how does it come I don’t have to enter password when rebooting system? The files in encrypted_data are straight way readable unencrypted?
This is not normally the case.
Check wit the zfs command if the dataset is encrypted.
 

macamba

Active Member
Mar 8, 2011
37
0
26
Correct but in case of KVM images the datasets are zvols (blockdev).
And files and folders are in the emulated blockdev.


This is not normally the case.
Check wit the zfs command if the dataset is encrypted.
zvol blockdevices as well as emulated blockdevices can both be encrypted files systems?
 

macamba

Active Member
Mar 8, 2011
37
0
26
Sorry but I don't understand where the difference lays between a 'zvol blockdevice' and an 'emulated block device' when creating data sets/ file systems. Also I don't understand at which point the zfs storage is ready for actually storing data on it.

Please help whether below steps are complete?

1) Create a raid-1 pool:
#zpool create -f -o ashift=12 zroot mirror sda sdb -m /mnt/zroot'. I added -m /mnt/zroot since I want the pool mounted in /mnt and not in /zroot

2) Enable the encryption feature for the pool
#zpool set feature@encryption=enabled

3) Create an encrypted file system for storing VM's/ LXC's:
# zfs create -o encryption=on -o keyformat=passphrase zroot/dproxmox-data

# pvesm add zfspool encrypted_zfs -pool zroot/proxmox-data

# zfs load-key zroot/proxmox-data

Is zroot/proxmox at this point ready for storing VM's and LXC's?

4) Create an encrypted file system for storing data (doc's, pictures, video's etc.)
#zfs create -o encryption=on -o keyformat=passphrase zroot/data

# zfs load-key zroot/data

Is zroot/data at this point ready for storing data?

Is this part “# pvesm add zfspool encrypted_zfs -pool zroot/proxmox-data” then what differentiates a zvol blockdevice from emulated block device?

Finally, can ‘dataset’ level be shared across the network based on CIFS, NFS, and AFP?
 
Last edited:

Fabian_E

Proxmox Staff Member
Staff member
Aug 1, 2019
177
13
18
Hi,
Sorry but I don't understand where the difference lays between a 'zvol blockdevice' and an 'emulated block device' when creating data sets/ file systems. Also I don't understand at which point the zfs storage is ready for actually storing data on it.
In ZFS you can create filesystems and volumes (and snapshots), the word 'dataset' refers to all of those. ZFS filesystems have a regular filesystem interface with directories, files and attributes, while volumes (zvols) are virtual blockdevices. A 'zvol blockdevice' is an 'emulated block device'. A VM can then create a filesystem (has nothing to do with the ZFS of the host anymore) on the virtual blockdevice and store its files and directories in that filesystem.

Please help whether below steps are complete?

1) Create a raid-1 pool:
#zpool create -f -o ashift=12 zroot mirror sda sdb -m /mnt/zroot'. I added -m /mnt/zroot since I want the pool mounted in /mnt and not in /zroot

2) Enable the encryption feature for the pool
#zpool set feature@encryption=enabled

3) Create an encrypted file system for storing VM's/ LXC's:
# zfs create -o encryption=on -o keyformat=passphrase zroot/dproxmox-data

# pvesm add zfspool encrypted_zfs -pool zroot/proxmox-data

# zfs load-key zroot/proxmox-data

Is zroot/proxmox at this point ready for storing VM's and LXC's?
Yes, you should be able to select the storage on VM/LXC creation when you get to the 'Hard Disk' resp. 'Root Disk' tab. The virtual disks for VMs will be created as ZFS volumes and for LXC as ZFS filesystems. The encryption is inherited by all datasets from the parent filesystem, i.e. zroot/dproxmox-data.

4) Create an encrypted file system for storing data (doc's, pictures, video's etc.)
#zfs create -o encryption=on -o keyformat=passphrase zroot/data

# zfs load-key zroot/data

Is zroot/data at this point ready for storing data?
Yes. It has to be mounted, but that should happen automatically.

Is this part “# pvesm add zfspool encrypted_zfs -pool zroot/proxmox-data” then what differentiates a zvol blockdevice from emulated block device?

Finally, can ‘dataset’ level be shared across the network based on CIFS, NFS, and AFP?
While the keys are loaded you can share directories on your ZFS filesystem just as you would share directories normally.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!