[pve-devel] [PATCH 0/2] PoC for zfs native encryption in pve-installer

Fabian Grünbichler f.gruenbichler at proxmox.com
Thu Mar 31 13:28:40 CEST 2022


On March 31, 2022 12:22 am, Gregor Michels via pve-devel wrote:
> Hello everybody !
> 
> I wanted to have a fully encrypted PVE instance utilising the native
> encryption of zfs.
> 
> Unfortunately the PVE installer itself does not support this usecase.
> There are various guides out there that do a vanilla install and then
> use zfs send and receive to encrypt the rootfs.
> But that is tedious manual work.
> 
> Therefore I looked into the pve-installer repository and glued this
> proof of concept together.
> Because the initramfs support for a zfs encrypted rootfs is already
> upstream in debian (or openzfs I'm not sure) I only needed to modify the
> pool creation commands in proxinstall.
> 
> I also added a rudimentary text field in the "Advanced Options" section
> of the zfs partitioning wizard to be able to input a passphrase.
> 
> This is by no means a "finished" implementation.
> 
> If you want to support this usecase officially in the installer I would
> love to finish up the implementation. There are also some design
> decision left to discuss. I think the following todos exist:
> 
> * have two text fields for the passphrase, just like the root password
> * let the user choose an encryption alogorithm, instead of the default
>    shipped by OpenZFS
> * enable "remote unblock" via ssh directly in the installer
> 
> Thank you in advance,
> hirnpfirsich
> 
> Gregor Michels (2):
>    zfs_create_rpool: add support for native encryption
>    create_raid_advanced_grid: add text box for zfs native encryption
> 
>   proxinstall | 22 +++++++++++++++++++++-
>   1 file changed, 21 insertions(+), 1 deletion(-)

see the following two bugs:

 https://bugzilla.proxmox.com/show_bug.cgi?id=2714
 https://bugzilla.proxmox.com/show_bug.cgi?id=2350

the second contains some info why we have not pushed for built-in 
support for ZFS native encryption yet. upstream is working on ironing 
some of the kinks and we are monitoring the situation.





More information about the pve-devel mailing list