Proxmox 6.1 ZFS native full disk (ZFS root) encryption.

proxmox-zfs-encryption.md

Simple guide for fulldisk encryption with Proxmox and ZFS native encryption

Install normally using the installer, after the setup reboot into recovery mode (from the USB stick). Make sure to install in UEFI mode (you need systemd-boot).

If the USB stick is not working for you, because of the old Kernel version (2.6.x), you can also use an Ubuntu 19.10 / 20.04 boot stick. ZFS suport is enabled there out of the box.

Steps:

# Import the old 
zpool import -f rpool

# Make a snapshot of the current one
zfs snapshot -r rpool/ROOT@copy

# Send the snapshot to a temporary root
zfs send -R rpool/ROOT@copy | zfs receive rpool/copyroot

# Destroy the old unencrypted root
zfs destroy -r rpool/ROOT

# Create a new zfs root, with encryption turned on
# OR -o encryption=aes-256-gcm - aes-256-ccm vs aes-256-gcm
zfs create -o encryption=on -o keyformat=passphrase rpool/ROOT

# Copy the files from the copy to the new encrypted zfs root
zfs send -R rpool/copyroot/pve-1@copy | zfs receive -o encryption=on rpool/ROOT/pve-1

# Set the Mountpoint
zfs set mountpoint=/ rpool/ROOT/pve-1

# Delete the old unencrypted copy
zfs destroy -r rpool/copyroot

# Export the pool again, so you can boot from it
zpool export rpool

If you want turn compression and other ZFS features on afterwards.

Helpful commands:

# list all mounts
zfs list

# Check which ZFS pools are encrypted
zfs get encryption

# Mount everything
zfs mount -l -a

# Show status and devices
zpool list

Original steps from from Yakuraku (proxmox-forum). Thanks to @nschemel for suggesting to delete the copy.

Why do we not ecrypt rpool/data as well?

Hi, I am encrypting rpool/data too. I just didn't add it to the gist to keep it short. It's basically the same commands.

Has anyone encounter issues with login being slow after enabling encryption? Perhaps (some of) the errors pasted above?

Did some testing during my reinstalls/upgrade to Proxmox VE 8.0 and managed to reproduce the issues reported here (like services failing to start on boot) after enabling encryption.

The issue seems to be related to not properly destroying the temporary root ZFS filesystem and snapshot. Make sure to do so when encrypting the rpool/ROOT dataset.

zfs destroy -r rpool/copyroot

If you already have the server up and running just press e in the systemd-boot bootloader and remove the entire argument and press enter (or use recovery mode from the USB stick) and run the following:

# Load the kernel module (when using systemd-boot)
modprobe zfs

# Import the old 
zpool import -f rpool

# Delete the old unencrypted copy
zfs destroy -r rpool/copyroot

# Export the pool again, so you can boot from it
zpool export rpool

Does it work for 8.1? I've tried the whole procedure (from Proxmox ISO as I had troubles getting into initrd shell), both with secure boot enabled (thus using grub) as well as with disabled one, but every time it hangs just after loading initrd...

I'm running this config since my post in 2022, all nodes on 8.1.4 now. Some with UEFI, some older ones without UEFI.

Ok, I managed to resolve it - if someone experiences that you probably need "simplefb" module for initramfs to be added - https://forum.proxmox.com/threads/native-full-disk-encryption-with-zfs.140170/#post-628782