I’m trying to install Proxmox on a server that is going to be running Home Assistant, a security camera NVR setup and other sensitive data, I need to have the drives be encrypted with automatic decryption of drives so the VMs can automatically resume after a power failure.
My desired setup:
- 2 Sata SSDs boot drives in a ZFS mirror
- 1 NVME SSD for L2ARC and VM storage
- 3 HDDs in a RAIDz1 for backups and general large storage
- 1 (maybe more added later) HDD for Camera NVR VM.
I’d prefer every drive encrypted with native ZFS encryption automatically decrypted by either TPM 2.0 or manually by a passphrase if needed as a backup.
Guide I found:
I found a general guide on how to do something similar but it honestly went over my head (I’m still learning) and didn’t include much information about additional drives: Proxmox with Secure Boot and Native ZFS Encryption
If someone could adapt that post into a more noob friendly guide for the latest Proxmox version, with directions for decryption of multiple drives, that would be amazing and I’m sure it would make an excellent addition to the Proxmox wiki ;)
My 2nd preferred setup:
- 2 Sata SSDs boot drives in a ZFS mirror with LUKS encryption and automatic decryption with clevis.
- All other drives encrypted using ZFS native encryption with ZFS key (keys?) stored on LUKS boot drive partition.
With this arrangement, every drive could be encrypted at rest and decrypted on boot with native ZFS encryption on most drives but has the downsides of using LUKS on ZFS for the boot drives.
Is storing the ZFS keys in a LUKS partition insecure in some way? Would this result in undecryptable drives if something happened to ZFS keys on the boot drive or can they be also decrypted with a passphrase as a backup?
As it stands right now, I’m really stuck trying to figure this out so any help or well written guides are heavily appreciated. Thanks for reading!
I’m glad you asked, its always good to learn new things! The idea behind having a drive that automatically decrypts on boot is so you have data protection at rest when the server is off but still are able to have the server start up and run the tasks it needs to do without having to input a password before the machine starts up. Encryption keys are stored in the TPM which is usually stored on the CPU and the data should still be protected by the login prompt unless there is some type of bug that bypasses the login prompt.
So imagine a scenario where the power goes out, even just for a small amount of time. The uninterruptible power supply connected to the server allows for clean unmounting of the filesystems and then shuts the server off. The server then comes back on when power is detected from the grid again. If an encrypted drive doesn’t have automatic decryption and requires a passphrase before boot, the services that I’m self hosting aren’t running. I’m wanting to run home assistant and a security camera NVR so that could mean that I’m stumbling around in the dark tripping over things to get to the server to type in a passphrase, or there could be a robbery and I now have no evidence of who the culprit might be.
Having the drives automatically decrypt in a safe manner helps ensure higher availability (without me spending a small fortune in additional hardware costs because you can usually throw money at a problem to fix it), and data protection in the event of a smash and grab robbery.
The alternative to automatically decrypting drives while ensuring my services work after power failure is to not encrypt the drives at all.
Let me know if you have anymore questions. Thank you for your post.