We make sure to start this service after the network is available but before Proxmox attempts to automatically start any VM or containers. About Press Copyright Contact us Creators Advertise Developers Terms Privacy Policy & Safety How YouTube works Test new features Press Copyright Contact us Creators. To load the encryption key automatically on machine startup, create a systemd service file nano -w /etc/systemd/system/rviceĭescription=Load ZFS encryption key and mount datasetsĮxecStart=wget -directory-prefix=/dev/shm You can check the encryption status using: zfs get -p encryption,keystatus,keylocation,encryptionroot This means if we encrypt the dataset in which Proxmox stores disks of virtual machines or containers, these disks also get encrypted. Instead of creating a new dataset and making that available in Proxmox, you may also delete the default dataset "rpool/data" and recreate it with encryption.Įncryption cannot be activated on an existing dataset, only on dataset creation.Encryption is inherited to child datasets. "/dev/shm" is volatile storage (RAM disk). Zfs create -o encryption=aes-256-gcm -o keyformat=raw -o keylocation=file:///dev/shm/zfs-testkey.raw rpool/pvestorage An alternative (I like that better) would be to make it available via ssh access so that it can be retrieved using scp.Ĭreate an encrypted dataset on the Proxmox host like this: wget -directory-prefix=/dev/shm Make sure to restrict access so that it can only be retrieved by the host for which the key is relevant.įor the example, we make the key accessible via https ( ). This way, the Proxmox host can be started without requiring entering an encryption key on startup of the machine but still get benefits of having encrypted data at rest.Ĭreate an encryption key and store it on your key server (here: mykeyserver.local): openssl rand -out zfs-testkey.raw 32 We use native ZFS encryption with an encryption key stored on another machine. Solution: Provide encrypted ZFS dataset for use by Proxmox ZFS has native encryption capabilities but it is not easily usable in Proxmox. LiveMediaBuild: Ubuntu 18.Issue: VMs and containers shall be kept on encrypted storageĮncrypting data at rest protects data in case of stolen physical disks. NonfreeKernelMo dules: zfs zunicode zavl icp zcommon znvpair Personally, I consider this pretty important functionality to make sure is present in 18.04, so I hope there's time to get it fixed before then. Ii zfsutils-linux 0.7.5-1ubuntu2 amd64 command-line tools to manage OpenZFS filesystems There is a ZFS native encryption implementation already done since a while (from iXsystems IIRC) and was initially targered to 12R, but the last time I saw that was not quite ready to merge and they are also trying to fix a particular security issue that exists when the encryption is used with deduplication, and that is present in all ZFS native encryption implementations. Ii zfs-zed 0.7.5-1ubuntu2 amd64 OpenZFS Event Daemon Ii libzfs2linux 0.7.5-1ubuntu2 amd64 OpenZFS filesystem library for Linux However, the latest released ZFS packages in bionic (0.7.5) seem to be missing this functionality.Ĭannot set property for 'pool': invalid feature 'encryption' ZFS native encryption support was merged in August of last year, which means it should be in every ZFSonLinux release since 0.7.2.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |