From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH 0/2] PoC for zfs native encryption in pve-installer
Date: Thu, 31 Mar 2022 13:28:40 +0200 [thread overview]
Message-ID: <1648726019.ahvwlgv5fi.astroid@nora.none> (raw)
In-Reply-To: <mailman.13.1648679357.377.pve-devel@lists.proxmox.com>
On March 31, 2022 12:22 am, Gregor Michels via pve-devel wrote:
> Hello everybody !
>
> I wanted to have a fully encrypted PVE instance utilising the native
> encryption of zfs.
>
> Unfortunately the PVE installer itself does not support this usecase.
> There are various guides out there that do a vanilla install and then
> use zfs send and receive to encrypt the rootfs.
> But that is tedious manual work.
>
> Therefore I looked into the pve-installer repository and glued this
> proof of concept together.
> Because the initramfs support for a zfs encrypted rootfs is already
> upstream in debian (or openzfs I'm not sure) I only needed to modify the
> pool creation commands in proxinstall.
>
> I also added a rudimentary text field in the "Advanced Options" section
> of the zfs partitioning wizard to be able to input a passphrase.
>
> This is by no means a "finished" implementation.
>
> If you want to support this usecase officially in the installer I would
> love to finish up the implementation. There are also some design
> decision left to discuss. I think the following todos exist:
>
> * have two text fields for the passphrase, just like the root password
> * let the user choose an encryption alogorithm, instead of the default
> shipped by OpenZFS
> * enable "remote unblock" via ssh directly in the installer
>
> Thank you in advance,
> hirnpfirsich
>
> Gregor Michels (2):
> zfs_create_rpool: add support for native encryption
> create_raid_advanced_grid: add text box for zfs native encryption
>
> proxinstall | 22 +++++++++++++++++++++-
> 1 file changed, 21 insertions(+), 1 deletion(-)
see the following two bugs:
https://bugzilla.proxmox.com/show_bug.cgi?id=2714
https://bugzilla.proxmox.com/show_bug.cgi?id=2350
the second contains some info why we have not pushed for built-in
support for ZFS native encryption yet. upstream is working on ironing
some of the kinks and we are monitoring the situation.
parent reply other threads:[~2022-03-31 11:29 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <mailman.13.1648679357.377.pve-devel@lists.proxmox.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1648726019.ahvwlgv5fi.astroid@nora.none \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox