Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save killerbees19/57d921fb01f24fd2eeb0d04c9aede874 to your computer and use it in GitHub Desktop.
Save killerbees19/57d921fb01f24fd2eeb0d04c9aede874 to your computer and use it in GitHub Desktop.
Proxmox 6.1 ZFS native full disk (ZFS root) encryption.

Simple guide for fulldisk encryption with Proxmox and ZFS native encryption

Install normally using the installer, after the setup reboot into recovery mode (from the USB stick). Make sure to install in UEFI mode (you need systemd-boot).

If the USB stick is not working for you, because of the old Kernel version (2.6.x), you can also use an Ubuntu 19.10 / 20.04 boot stick. ZFS suport is enabled there out of the box.

Steps:

# Import the old 
zpool import -f rpool

# Make a snapshot of the current one
zfs snapshot -r rpool/ROOT@copy

# Send the snapshot to a temporary root
zfs send -R rpool/ROOT@copy | zfs receive rpool/copyroot

# Destroy the old unencrypted root
zfs destroy -r rpool/ROOT

# Create a new zfs root, with encryption turned on
# OR -o encryption=aes-256-gcm - aes-256-ccm vs aes-256-gcm
zfs create -o encryption=on -o keyformat=passphrase rpool/ROOT

# Copy the files from the copy to the new encrypted zfs root
zfs send -R rpool/copyroot/pve-1@copy | zfs receive -o encryption=on rpool/ROOT/pve-1

# Set the Mountpoint
zfs set mountpoint=/ rpool/ROOT/pve-1

# Export the pool again, so you can boot from it
zpool export rpool

If you want turn compression and other ZFS features on afterwards.

Helpful commands:

# list all mounts
zfs list

# Check which ZFS pools are encrypted
zfs get encryption

# Mount everything
zfs mount -l -a

# Show status and devices
zpool list

Original steps from from Yakuraku (proxmox-forum)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment