[pve-devel] [PATCH 0/2] PoC for zfs native encryption in pve-installer
Fabian Grünbichler
f.gruenbichler at proxmox.com
Thu Mar 31 13:28:40 CEST 2022
On March 31, 2022 12:22 am, Gregor Michels via pve-devel wrote:
> Hello everybody !
>
> I wanted to have a fully encrypted PVE instance utilising the native
> encryption of zfs.
>
> Unfortunately the PVE installer itself does not support this usecase.
> There are various guides out there that do a vanilla install and then
> use zfs send and receive to encrypt the rootfs.
> But that is tedious manual work.
>
> Therefore I looked into the pve-installer repository and glued this
> proof of concept together.
> Because the initramfs support for a zfs encrypted rootfs is already
> upstream in debian (or openzfs I'm not sure) I only needed to modify the
> pool creation commands in proxinstall.
>
> I also added a rudimentary text field in the "Advanced Options" section
> of the zfs partitioning wizard to be able to input a passphrase.
>
> This is by no means a "finished" implementation.
>
> If you want to support this usecase officially in the installer I would
> love to finish up the implementation. There are also some design
> decision left to discuss. I think the following todos exist:
>
> * have two text fields for the passphrase, just like the root password
> * let the user choose an encryption alogorithm, instead of the default
> shipped by OpenZFS
> * enable "remote unblock" via ssh directly in the installer
>
> Thank you in advance,
> hirnpfirsich
>
> Gregor Michels (2):
> zfs_create_rpool: add support for native encryption
> create_raid_advanced_grid: add text box for zfs native encryption
>
> proxinstall | 22 +++++++++++++++++++++-
> 1 file changed, 21 insertions(+), 1 deletion(-)
see the following two bugs:
https://bugzilla.proxmox.com/show_bug.cgi?id=2714
https://bugzilla.proxmox.com/show_bug.cgi?id=2350
the second contains some info why we have not pushed for built-in
support for ZFS native encryption yet. upstream is working on ironing
some of the kinks and we are monitoring the situation.
More information about the pve-devel
mailing list