Simple guide for fulldisk encryption with Proxmox and ZFS native encryption
Install normally using the installer, after the setup reboot into recovery mode (from the USB stick). Make sure to install in UEFI mode (you need systemd-boot).
If the USB stick is not working for you, because of the old Kernel version (2.6.x), you can also use an Ubuntu 19.10 / 20.04 boot stick. ZFS suport is enabled there out of the box.
Steps:
# Import the old
zpool import -f rpool
# Make a snapshot of the current one
zfs snapshot -r rpool/ROOT@copy
# Send the snapshot to a temporary root
zfs send -R rpool/ROOT@copy | zfs receive rpool/copyroot
# Destroy the old unencrypted root
zfs destroy -r rpool/ROOT
# Create a new zfs root, with encryption turned on
# OR -o encryption=aes-256-gcm - aes-256-ccm vs aes-256-gcm
zfs create -o encryption=on -o keyformat=passphrase rpool/ROOT
# Copy the files from the copy to the new encrypted zfs root
zfs send -R rpool/copyroot/pve-1@copy | zfs receive -o encryption=on rpool/ROOT/pve-1
# Set the Mountpoint
zfs set mountpoint=/ rpool/ROOT/pve-1
# Delete the old unencrypted copy
zfs destroy -r rpool/copyroot
# Export the pool again, so you can boot from it
zpool export rpool
If you want turn compression and other ZFS features on afterwards.
Helpful commands:
# list all mounts
zfs list
# Check which ZFS pools are encrypted
zfs get encryption
# Mount everything
zfs mount -l -a
# Show status and devices
zpool list
Original steps from from Yakuraku (proxmox-forum). Thanks to @nschemel for suggesting to delete the copy.
Thank you very much for the writeup. It worked like a charm with one little addition.
I had to move the mount point of the dataset "rpool/copyroot/pve-1" to /rpool/copyroot/pve-1 to get it working. Without this there where two datasets with the same mount point "/" and the system didn't boot.
Another thing that works is to delete the copyroot stuff after using it. You would like to do this anyway so that you don't keep the old unencrypted root.