[pve-devel] [PATCH 0/2] PoC for zfs native encryption inpve-installer
Gregor Michels
hirnpfirsich at testing.brainpeach.de
Sat Apr 2 17:45:45 CEST 2022
On 31/03/22 13:28, Fabian Grünbichler wrote:
> On March 31, 2022 12:22 am, Gregor Michels via pve-devel wrote:
> > Hello everybody !
> >
> > I wanted to have a fully encrypted PVE instance utilising the native
> > encryption of zfs.
> >
> > Unfortunately the PVE installer itself does not support this usecase.
> > There are various guides out there that do a vanilla install and then
> > use zfs send and receive to encrypt the rootfs.
> > But that is tedious manual work.
> >
> > Therefore I looked into the pve-installer repository and glued this
> > proof of concept together.
> > Because the initramfs support for a zfs encrypted rootfs is already
> > upstream in debian (or openzfs I'm not sure) I only needed to modify the
> > pool creation commands in proxinstall.
> >
> > I also added a rudimentary text field in the "Advanced Options" section
> > of the zfs partitioning wizard to be able to input a passphrase.
> >
> > This is by no means a "finished" implementation.
> >
> > If you want to support this usecase officially in the installer I would
> > love to finish up the implementation. There are also some design
> > decision left to discuss. I think the following todos exist:
> >
> > * have two text fields for the passphrase, just like the root password
> > * let the user choose an encryption alogorithm, instead of the default
> > shipped by OpenZFS
> > * enable "remote unblock" via ssh directly in the installer
> >
> > Thank you in advance,
> > hirnpfirsich
> >
> > Gregor Michels (2):
> > zfs_create_rpool: add support for native encryption
> > create_raid_advanced_grid: add text box for zfs native encryption
> >
> > proxinstall | 22 +++++++++++++++++++++-
> > 1 file changed, 21 insertions(+), 1 deletion(-)
>
> see the following two bugs:
>
> https://bugzilla.proxmox.com/show_bug.cgi?id=2714
> https://bugzilla.proxmox.com/show_bug.cgi?id=2350
>
> the second contains some info why we have not pushed for built-in
> support for ZFS native encryption yet. upstream is working on ironing
> some of the kinks and we are monitoring the situation.
>
Sorry that I did not check your bugtracker first. I do understand the
situation now.
Hope upstream moves fast because a full-disk-encrypted PVE setup would
be pretty sweet.
More information about the pve-devel
mailing list