Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Proxmox 6.1 ZFS native full disk (ZFS root) encryption.

Simple guide for fulldisk encryption with Proxmox and ZFS native encryption

Install normally using the installer, after the setup reboot into recovery mode (from the USB stick). Make sure to install in UEFI mode (you need systemd-boot).

If the USB stick is not working for you, because of the old Kernel version (2.6.x), you can also use an Ubuntu 19.10 / 20.04 boot stick. ZFS suport is enabled there out of the box.

Steps:

# Import the old 
zpool import -f rpool

# Make a snapshot of the current one
zfs snapshot -r rpool/ROOT@copy

# Send the snapshot to a temporary root
zfs send -R rpool/ROOT@copy | zfs receive rpool/copyroot

# Destroy the old unencrypted root
zfs destroy -r rpool/ROOT

# Create a new zfs root, with encryption turned on
# OR -o encryption=aes-256-gcm - aes-256-ccm vs aes-256-gcm
zfs create -o encryption=on -o keyformat=passphrase rpool/ROOT

# Copy the files from the copy to the new encrypted zfs root
zfs send -R rpool/copyroot/pve-1@copy | zfs receive -o encryption=on rpool/ROOT/pve-1

# Set the Mountpoint
zfs set mountpoint=/ rpool/ROOT/pve-1

# Export the pool again, so you can boot from it
zpool export rpool

If you want turn compression and other ZFS features on afterwards.

Helpful commands:

# list all mounts
zfs list

# Check which ZFS pools are encrypted
zfs get encryption

# Mount everything
zfs mount -l -a

# Show status and devices
zpool list

Original steps from from Yakuraku (proxmox-forum)

@nschemel
Copy link

nschemel commented May 1, 2021

Thank you very much for the writeup. It worked like a charm with one little addition.

I had to move the mount point of the dataset "rpool/copyroot/pve-1" to /rpool/copyroot/pve-1 to get it working. Without this there where two datasets with the same mount point "/" and the system didn't boot.

Another thing that works is to delete the copyroot stuff after using it. You would like to do this anyway so that you don't keep the old unencrypted root.

@yvesh
Copy link
Author

yvesh commented May 9, 2021

@nschemel Thanks for your feedback. Weird, zfs set mountpoint=/ rpool/ROOT/pve-1 should set the mount point to / again (after you copied it to the encrypted rpool/ROOT/pve-1 again). Sure everything went well? (zfs get encryption).

Yes, the copyroot should be deleted afterwards (once it booted, else wise you have a fallback when something went wrong) - zfs destroy -r rpool/copyroot/pve-1@copy

@Jasperswaagman
Copy link

Jasperswaagman commented Jun 2, 2021

Thanks for the guide! I have one remark regarding getting in to the recovery mode. To get in to the recovery mode while using the proxmox iso choose the "Install Proxmox VE (Debug mode)" option. From there type exit and follow the steps.

Edit: I can confirm @nschemel's addition about changing the mountpoint is needed.

@ae5960e8-a6fc-491f-b252-898ecf59af95

Could you clarify exactly what each command does and why it is part of the guide? I don't understand much of these descriptions.

@stepurin
Copy link

stepurin commented Jun 9, 2021

I did everything according to the instructions. But I got the following problem - when the system starts, after unlocking the disk, I have time synchronization, which stops the download ... and I can’t do anything about it

@aurrak
Copy link

aurrak commented Jul 2, 2021

I had to move the mount point of the dataset "rpool/copyroot/pve-1" to /rpool/copyroot/pve-1 to get it working. Without this there where two datasets with the same mount point "/" and the system didn't boot.

I can confirm @nschemel's addition about changing the mountpoint is needed.

I believe the above issue could be avoided if we initially import the pool with the -N or -R (or both) flag.

-N means don't mount the pool
-R means import the pool with an alternate root mountpoint

So we can do the following instead:

# Import the old 
zpool import -f -NR /tmp rpool

Source: openzfs/zfs#5192 (comment)
Source2: https://docs.oracle.com/cd/E19253-01/819-5461/gbcgl/index.html

@Yyoglmaster
Copy link

Yyoglmaster commented Jul 22, 2021

Thanks for this wonderful instructions! I used it for pve7. To mount the zfs pool I had to use Ubuntu 21.04.
20.04. uses an older version and is not able to mount. To export the pool I had to delete the snapshot. Now it's working!

@andi448
Copy link

andi448 commented Jul 29, 2021

@stepurin: I had the same problem with network time synchronization running into timeouts on v6.4, but I've tried the latest v7.0 and it works smoothly.

@vogelfreiheit
Copy link

vogelfreiheit commented Oct 1, 2021

Can anyone confirm if this works well with UEFI boot + RAID1 (dual disk) configurations?

@Yyoglmaster
Copy link

Yyoglmaster commented Oct 1, 2021

Can anyone confirm if this works well with UEFI boot + RAID1 (dual disk) configurations?

I‘m using it in this configuration. So, yes, it works!

@vogelfreiheit
Copy link

vogelfreiheit commented Oct 1, 2021

Sweet! How does it handle the whole boot process? In the past when we did not enjoy the comforts of ZFS support in grub and co, we had to sync the boot partitions for all drives in the RAID1 set, and it was still hideous to admin.

Any specific steps for RAID1?

@Yyoglmaster
Copy link

Yyoglmaster commented Oct 1, 2021

As I remember, I did the ZFS setup during the install process and afterwards the encryption of the pool like it is described here. The boot partition itself is not encrypted btw. I think you have to do it by hand and I think I can remember there are some resync steps neccesary.
I hope this can answer your question…

@vogelfreiheit
Copy link

vogelfreiheit commented Oct 3, 2021

Could you or the original author update the instructions? I replicated these in a guest and like you mentioned, it is necessary to remove the copy and snapshot. My boot process has slowed down significantly though, this is a current gen Xeon system with quite a bit of power.

@bung69
Copy link

bung69 commented Nov 23, 2021

for anyone wondering how to get in to a proxmox 7 recovery environment, after some trial and error with the recovery mode just booting up my proxmox 7 install, boot the installer usb then alt + f4 to exit and then right click to get a terminal emulator.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment