Encrypted Proxmox Homeserver – Questions on how to do it

I set up a homeserver running Proxmox using this guide.

Now I want to encrypt this server and would like your guidance on how to do it best.

It is just a homeserver, so I have no problem starting from scratch.

My hardware is the following:

Dual Xeon L5640 6 Core

48 GB ECC Memory

1 x 120GB SSD for boot and caching

3 x 4TB Seagate IronWolf HDD’s

Everything is contained in a Fujitsu Celsius R570 Workstation.

For security/privacy and educational reasons I would like to encrypt it as much as possible. To complicate it, I also want to be able to restart it remotely.

Recently I found out, that it is possible to run a SSH server in initramfs and using it, typing in the decryption password for the boot partition remotely. As fare as I know I need to build a custom initramfs image to accomplish this, but as I have never done this, I would like some help there.

Next I want to encrypt the HDD’s. Currently they are in a RAID Z1 array and would like to keep the redundancy. Is ZFS the best option and is my machine fast enough for deduplication?

How can I automatically decrypt the drives on boot and can I store the key on the encrypted SSD.

With a cache partition on the SSD, does the cache option during creation of a new VM do anything?

no point in encrypting if you keep the password readable on the system so it can boot by itself.

I want the key for the HDD’s on the encrypted boot SSD, witch I want to decrypt by typing in my password remotely.

My idea was to type in just one password on boot.

If there is some inherent problem with saving encryption keys on a encrypted disk, please tell me.

ah ok. that makes sense.

I cant remember exactly how… but it involves /etc/crypttab

It’s hard to encrypt a root disk once you’ve already installed to it.

The easiest way to do an encrypted Proxmox setup is to start with a minimal, vanilla Debian install. Set up the encrypted partition using the installer like you would with any other Debian system. Once installed, reboot.

Then follow the guide for installing Proxmox on Debian. You can find that here.

As for the SSH server in initram, I’ve never done it personally. This approach uses Dropbear for it. Skimming that tutorial looks like all of it should apply to Debian and Proxmox except for the Plymouth stuff, which isn’t installed by default on Debian.

For native zfs encryption on Linux you need zfs 0.8.0+ which is not yet available for Debian Sid.

You can however run zfs 0.8.0+ on Arch Linux with zfs-dkms-git. For stability choose a flavor of Manjaro. Arch will also give you a lot of choices for unlocking dm-crypt remotely.

You could then for example setup a luks encrypted BTRFS system partition with subvols & have your ZFS data encrypted with a key stored inside your encrypted BTRFS system so you only need one password to boot up the system. This will avoid problems of a server & usb key being physically stolen together.

I’ve been running a system like this for a year with linux-hardened (minus the remote initramfs) without any breakage or problems. When I created my encrypted zfs mirror I chose aes-256-gcm for the encryption scheme as I do not need deduplication & wanted better performance. Make sure you use ashift=12 when you create your zfs devices.

  • If data safety is important a mirrored vdev would be a good choice over raidz. Mirrors resilver much more quickly than raidz.

  • You could also keep your /var on a hard disk to save wear & tear on your ssd boot drive.

  • For encrypted backups look at borg.

Is it possible to use the guests full disk encryption with GPU passthrough? I have two manjaro VMs that are identical except on has full disk encryption. The one without works as expected and the one with will not output to the display. I suspect it is hung on the de crypt screen.