From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 30A547B7B9 for ; Mon, 1 Nov 2021 15:02:56 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 2016A24239 for ; Mon, 1 Nov 2021 15:02:56 +0100 (CET) Received: from mxb.4t2.com (mxb.4t2.com [178.63.148.195]) by firstgate.proxmox.com (Proxmox) with ESMTP id 7F6BD241DB for ; Mon, 1 Nov 2021 15:02:54 +0100 (CET) X-Spam-Status: No X-4t2Systems-MailScanner-Watermark: 1636379938.1439@6VcH5GxCPcyjjHdvqcVM7A X-4t2Systems-MailScanner-From: pve@junkyard.4t2.com X-4t2Systems-MailScanner: Found to be clean X-4t2Systems-MailScanner-ID: 8C65D49.AC637 X-4t2Systems-MailScanner-Information: processed at mxb.4t2.com Received: from mailrelay.abyss.4t2.com (unknown [192.168.1.11]) by mxb.4t2.com (Postfix) with ESMTP id 8C65D49 for ; Mon, 1 Nov 2021 14:58:57 +0100 (CET) Received: from mailserv.abyss.4t2.com (mailserv.abyss.4t2.com [192.168.1.12]) by mailrelay.abyss.4t2.com (Postfix) with ESMTP id 5590A112 for ; Mon, 1 Nov 2021 14:58:57 +0100 (CET) Received: from [192.168.1.20] (utumno.abyss.4t2.com [192.168.1.20]) (Authenticated sender: x) by mailserv.abyss.4t2.com (Postfix) with ESMTPSA id 50AE846196 for ; Mon, 1 Nov 2021 14:58:57 +0100 (CET) From: Tom Weber To: pve-user@lists.proxmox.com Message-ID: <31206b58-3a29-ef80-3534-13c556918832@4t2.com> Date: Mon, 1 Nov 2021 14:58:53 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: de-DE Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.673 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_BL_SPAMCOP_NET 1.347 Received via a relay in bl.spamcop.net SPF_HELO_PASS -0.001 SPF: HELO matches SPF record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [PVE-User] How to secure the PBS Encryption Key X-BeenThere: pve-user@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE user list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Nov 2021 14:02:56 -0000 Hello, in https://forum.proxmox.com/threads/cant-set-an-symlink-in-etc-pve-for-zfs-encryption.96934/ fireon describes his problem securing the PBS encryption key. I think his solution is only a workaround. Suppose I encrypt local VM/Data storage on a node (without the / beeing unencrypted for ease of booting/remote management), I end up with a PBS Encryption Key lying around in clear that anyone who can get hands on the machine can get. Now all it needs is access to a remote PBS with the synced encrypted Backups to get all the protected data that was in the VMs/CTs lying on encrypted storage of the orignal node. This is probably not a Problem of PVE or PBS on their own. But in combination I think it's a weakness. "Stealing" hardware should not give you such cleartext keys. Any idea how to circumvent this? My first idea was the same direction as fireon's by symlinking the key from some secure space - but this obviously doesn't work. Some way to manually unlock the key after booting the node or maybe an area (folder) in /etc/pve/ that'd need unlocking for storing such information - though that's probably quite some development effort? Best, Tom