ZFS VM Disk Encryption Limitations

proxenjoy

New Member
Jul 31, 2024
23
2
3
Dear community,

I am in a situation where a friend of mine allows me to use his proxmox server to create VM's. Furthermore my friend created a zfs pool I can use to store my VM's data.

1. Now, for privacy reasons I want private data not be accessible to my friend.
2. Hence, I created an encrypted ZFS pool with a passphrase keytype inside my ubuntu VM mounted to the virtual zfspool

The question: Is there any way for my friend to obtain my private data stored on the encrypted zfs pool inside my VM ? Snapshots, Clones, Migrations, Memory dumps ????

Thank you!!
 
Everything is possible with enough CPU-Power... but under normal circumstandes.. no...
 
Everything is possible with enough CPU-Power... but under normal circumstandes.. no...
Thank you for your fast reply itNGO!
So also a keylogger would not work ? when I type in my passphrase at boot ? The reason I am asking is because I read on the internet the limitations of encryption on top of a VPS. In this post a person points out the following

  • Almost all vps hosts provide a direct way to get a shell and dump the fs locally or via vnc. That would be easiest and most of the time you can't circumvent that from within the VPS.
  • Your key ends up in the RAM of the host, so a memory dump would certainly reveal it.
  • If a vps snapshot is taken including memory - now your key is in the snapshot in plain text.
Source: https://serverfault.com/questions/1061140/is-vps-disk-encryption-pointless

Is there some value to his argumentation that might apply here as well ?

Thank you again!!
 
The question: Is there any way for my friend to obtain my private data stored on the encrypted zfs pool inside my VM ?
You are manually entering a passphrase to unlock the key to decrypt your data volume?

As long as an attacker controls the hardware he can simply watch you typing in the passphrase the next time your system boots up. No "brute force attack" required...

Trust is the basis for a concept like yours - and for any other so called "secure cloud storage". The other concept is "Trust No One" and this requires data to get encrypted before it leaves your computer.
 
  • Like
Reactions: proxenjoy
Thank you for your fast reply itNGO!
So also a keylogger would not work ? when I type in my passphrase at boot ? The reason I am asking is because I read on the internet the limitations of encryption on top of a VPS. In this post a person points out the following

  • Almost all vps hosts provide a direct way to get a shell and dump the fs locally or via vnc. That would be easiest and most of the time you can't circumvent that from within the VPS.
  • Your key ends up in the RAM of the host, so a memory dump would certainly reveal it.
  • If a vps snapshot is taken including memory - now your key is in the snapshot in plain text.
Source: https://serverfault.com/questions/1061140/is-vps-disk-encryption-pointless

Is there some value to his argumentation that might apply here as well ?

Thank you again!!
Well beside the manual watching or dumping the memory at the right moment, I guess while entering the key, it is displayed with "*" and not seen on screen....

However, if he is a friend... why should he do? Because he can? Then he is no friend....
 
Well beside the manual watching or dumping the memory at the right moment, I guess while entering the key, it is displayed with "*" and not seen on screen....

However, if he is a friend... why should he do? Because he can? Then he is no friend....
Yes it's a friend and hence I know he would not do that, but I am just wondering what is theoretically possible. Because if I will host data of my friends that are not techie I want them to know if I have the possibility to snoop on their data or not.

But good point itNGO I also thought about this, if you record the console screen then when you type in the passphrase you seen nothing indeed. But maybe there is a way to record the keystrokes ?
 
ADDITION:

I just did some more research on how ZFS encryption works and found a person posting this:

To decrypt the hard disk, the encrypted master key is read from the disk, decrypted with the password, and then used to decrypt the data

Source: https://forums.freebsd.org/threads/...it-the-passphrase-can-be-changed-later.85613/

Key management: The encryption key is stored securely, either as a binary key or as the result of PBKDF2 iterations on a user-provided passphrase. This ensures that even if an attacker obtains a memory dump, they won’t be able to extract the decryption key without significant computational resources.

Does this then mean that only the decrypted master key is stored in memory ? Is that decrypted master key enough to clone the VM and spin up a fresh install of ubuntu and decrypt the zfs encrypted drives with that decrypted master key ?
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!