Thursday, November 23, 2023

Proxmox VE with ZFS Encryption

Encrypting ZFS in Proxmox is not supported out-of-the-box with Proxmox.

In this guide we will not encrypt the entire installation but only the rpool/data where the vm disks are stored. The goal is to have a user friendly but still a secure solution.

Therefor you are still able to power on or reboot the server and log into proxmox without the need for rmm of simular software solution like Dropbear to decrypt your drive first.

Log into Proxmox, start the shell and decrypt the rpool/data with your encryption key.
Your VM's won't start untill you decrypt the rpool/data.

This guide will explain how to encrypt the rpool/data on a Proxmox Server with already VM's running on it and also for a newly installed proxmox server.


Tested with:

Proxmox 8.x 
ZFS with rpool/data where the vm disks are stored (usually is with a default installation)


Proxmox without VM's (new installation):

Log into your Proxmox server and start the shell.

Let's remove the rpool/data
type: zfs destroy -r rpool/data

Now we create a new encrypted rpool/data
type: zfs create -o encryption=aes-256-ccm -o keyformat=passphrase rpool/data 

Type in the encryption password you want.

That's it easy right? 

Move on to the 
"That's it, WE ARE DONE! Not to bad ey ;)
part at the bottom!

Next encrypting a used rpool/data ...

!!! ALWAYS MAKE SURE YOU HAVE WORKING BACKUPS OF YOUR VM'S !!!

Proxmox with running VM's:

Log into your Proxmox server and start the shell.

First we will make a snapshot of all the vm disks that is stored in rpool/data
type: zfs snapshot -r rpool/data@COPY

Place the snapshot in a temporary location. This can take awhile depending how much data / vm disks there are.
type: zfs send -R rpool/data@COPY | zfs receive rpool/copydata

Let's remove the rpool/data
type: zfs destroy -r rpool/data

Now we create a new encrypted rpool/data
type: zfs create -o encryption=aes-256-ccm -o keyformat=passphrase rpool/data 

Type in the encryption password you want.

We now copy back the vm disks of the old rpool/data we created earlier to the newly encrypted rpool/data. 

Check the names and vm disks we need to copy:
type: zfs get keystatus

In my case i have 1 vm with 3 disks:

rpool/copydata
rpool/copydata@COPY
rpool/copydata/vm-100-disk-0
rpool/copydata/vm-100-disk-0@clean
rpool/copydata/vm-100-disk-0@COPY
rpool/copydata/vm-100-disk-1
rpool/copydata/vm-100-disk-1@clean
rpool/copydata/vm-100-disk-1@COPY
rpool/copydata/vm-100-disk-2
rpool/copydata/vm-100-disk-2@clean
rpool/copydata/vm-100-disk-2@COPY

Since we now know what to copy let's start:
type: zfs send -R rpool/copydata/vm-100-disk-0@COPY | zfs receive rpool/data/vm-100-disk-0

type: zfs send -R rpool/copydata/vm-100-disk-1@COPY | zfs receive rpool/data/vm-100-disk-1

type: zfs send -R rpool/copydata/vm-100-disk-1@COPY | zfs receive rpool/data/vm-100-disk-1

After this all the 3 vm's disks are copied from the temorary location to the encypted rpool/data
Let's see if we can start the VM from the Proxmox WebGUI.

Yes? Well done, let's move on and clean up the mess we left.

When everything went well and the vm's are booting, remove the temporary snapshots and data location, for me it would be:
type: zfs destroy -r rpool/copydata
type: zfs destroy -r rpool/data/vm-100-disk-0@COPY
type: zfs destroy -r rpool/data/vm-100-disk-1@COPY
type: zfs destroy -r rpool/data/vm-100-disk-2@COPY
type: zfs destroy -r rpool/data/vm-100-disk-0@clean
type: zfs destroy -r rpool/data/vm-100-disk-1@clean
type: zfs destroy -r rpool/data/vm-100-disk-2@clean


That's it, WE ARE DONE! Not to bad ey ;)

After the server has been rebooted or powered on we need to load the encryption key to decrypt the rpool/data otherwise the stored vm disks won't we available and the vm's won't start.

Log into Proxmox and start the shell.
type: zfs get keystatus rpool/data
It should say unavailable as value.

Now let's load the encryption passphrase to decrypt rpool/data
type: zfs load-key -r rpool/data

Enter you encryption passphrase and rpool/data is decrypted and you can start your vm's.

That's it, your vm disks are encrypted! 

No comments: