I set up a homeserver running Proxmox using this guide.
Now I want to encrypt this server and would like your guidance on how to do it best.
It is just a homeserver, so I have no problem starting from scratch.
My hardware is the following:
Dual Xeon L5640 6 Core
48 GB ECC Memory
1 x 120GB SSD for boot and caching
3 x 4TB Seagate IronWolf HDD’s
Everything is contained in a Fujitsu Celsius R570 Workstation.
For security/privacy and educational reasons I would like to encrypt it as much as possible. To complicate it, I also want to be able to restart it remotely.
Recently I found out, that it is possible to run a SSH server in initramfs and using it, typing in the decryption password for the boot partition remotely. As fare as I know I need to build a custom initramfs image to accomplish this, but as I have never done this, I would like some help there.
Next I want to encrypt the HDD’s. Currently they are in a RAID Z1 array and would like to keep the redundancy. Is ZFS the best option and is my machine fast enough for deduplication?
How can I automatically decrypt the drives on boot and can I store the key on the encrypted SSD.
With a cache partition on the SSD, does the cache option during creation of a new VM do anything?
It’s hard to encrypt a root disk once you’ve already installed to it.
The easiest way to do an encrypted Proxmox setup is to start with a minimal, vanilla Debian install. Set up the encrypted partition using the installer like you would with any other Debian system. Once installed, reboot.
Then follow the guide for installing Proxmox on Debian. You can find that here.
As for the SSH server in initram, I’ve never done it personally. This approach uses Dropbear for it. Skimming that tutorial looks like all of it should apply to Debian and Proxmox except for the Plymouth stuff, which isn’t installed by default on Debian.
You could then for example setup a luks encrypted BTRFS system partition with subvols & have your ZFS data encrypted with a key stored inside your encrypted BTRFS system so you only need one password to boot up the system. This will avoid problems of a server & usb key being physically stolen together.
I’ve been running a system like this for a year with linux-hardened (minus the remote initramfs) without any breakage or problems. When I created my encrypted zfs mirror I chose aes-256-gcm for the encryption scheme as I do not need deduplication & wanted better performance. Make sure you use ashift=12 when you create your zfs devices.
If data safety is important a mirrored vdev would be a good choice over raidz. Mirrors resilver much more quickly than raidz.
You could also keep your /var on a hard disk to save wear & tear on your ssd boot drive.
Is it possible to use the guests full disk encryption with GPU passthrough? I have two manjaro VMs that are identical except on has full disk encryption. The one without works as expected and the one with will not output to the display. I suspect it is hung on the de crypt screen.