[PVE-User] Where is ZFS encryption key in Proxmox 7.1

[PVE-User] Where is ZFS encryption key in Proxmox 7.1

[Eric Abreu]

Hello everyone,

I have created a ZFS pool from Proxmox 7.1 web interface with 2 SSDs in
RAID 1. I noticed that everything works fine after I created the pool, and
ZFS at REST encryption was also enabled. After rebooting the server it did
not ask for a passphrase so my guess is that Proxmox is getting the key
from somewhere in the file system. Anyone could help me find out where?

Thanks in advance.

Re: [PVE-User] Where is ZFS encryption key in Proxmox 7.1

[Thomas Lamprecht]

Hi,

On 30.11.21 04:36, Eric Abreu wrote:
> I have created a ZFS pool from Proxmox 7.1 web interface with 2 SSDs in
> RAID 1. I noticed that everything works fine after I created the pool, and
> ZFS at REST encryption was also enabled. After rebooting the server it did
> not ask for a passphrase so my guess is that Proxmox is getting the key
> from somewhere in the file system. Anyone could help me find out where?

Well, how did you enable ZFS at rest encryption? As that is something that won't
be done automatically, and the local-storage web-interface/api currently does not
allow to configure that either.

cheers,
Thomas

Re: [PVE-User] Where is ZFS encryption key in Proxmox 7.1

[Eric Abreu]

Hi Thomas,

Thanks for the quick response. I'm going to repeat the steps to create the
ZFS pool from the web interface and paste them here. I'm pretty sure I did
everything from the dashboard and the encryption was enabled by default.
I'll keep you posted. Thanks again for your help.

On Tue, Nov 30, 2021 at 3:37 AM Thomas Lamprecht <t.lamprecht@proxmox.com>
wrote:

> Hi,
>
> On 30.11.21 04:36, Eric Abreu wrote:
> > I have created a ZFS pool from Proxmox 7.1 web interface with 2 SSDs in
> > RAID 1. I noticed that everything works fine after I created the pool,
> and
> > ZFS at REST encryption was also enabled. After rebooting the server it
> did
> > not ask for a passphrase so my guess is that Proxmox is getting the key
> > from somewhere in the file system. Anyone could help me find out where?
>
> Well, how did you enable ZFS at rest encryption? As that is something that
> won't
> be done automatically, and the local-storage web-interface/api currently
> does not
> allow to configure that either.
>
> cheers,
> Thomas
>
>

Re: [PVE-User] Where is ZFS encryption key in Proxmox 7.1

[Eric Abreu]

Hello Thomas,

I have repeated the following steps:

1 - Went to PVE Node/ ZFS/ Create ZFS/
2 - On the dialogue box name = my_pool, Add Storage (check), Select Devices
(2 x 1TB disks), RAID Level = Mirror, Compression = off, ashift = 12
3 - Hit Create
4 - Open the command line on my pve node and typed:
zpool get feature@encryption my_pool

And I got this as a response:

NAME     PROPERTY            VALUE               SOURCE
my_pool  feature@encryption  enabled             local

Does that mean encryption is enabled?

Thanks again.

On Tue, Nov 30, 2021 at 12:17 PM Eric Abreu <abreuer1521@gmail.com> wrote:

> Hi Thomas,
>
> Thanks for the quick response. I'm going to repeat the steps to create the
> ZFS pool from the web interface and paste them here. I'm pretty sure I did
> everything from the dashboard and the encryption was enabled by default.
> I'll keep you posted. Thanks again for your help.
>
> On Tue, Nov 30, 2021 at 3:37 AM Thomas Lamprecht <t.lamprecht@proxmox.com>
> wrote:
>
>> Hi,
>>
>> On 30.11.21 04:36, Eric Abreu wrote:
>> > I have created a ZFS pool from Proxmox 7.1 web interface with 2 SSDs in
>> > RAID 1. I noticed that everything works fine after I created the pool,
>> and
>> > ZFS at REST encryption was also enabled. After rebooting the server it
>> did
>> > not ask for a passphrase so my guess is that Proxmox is getting the key
>> > from somewhere in the file system. Anyone could help me find out where?
>>
>> Well, how did you enable ZFS at rest encryption? As that is something
>> that won't
>> be done automatically, and the local-storage web-interface/api currently
>> does not
>> allow to configure that either.
>>
>> cheers,
>> Thomas
>>
>>

Re: [PVE-User] Where is ZFS encryption key in Proxmox 7.1

[Adam Thompson]

No.  That means that the encryption *feature* is enabled, i.e. you may now proceed to encrypt your dataset... if you really want to find out exactly how that breaks things, I guess.
If it came back as disabled, you would not be able to use encryption at all on that dataset.
-Adam

Get Outlook for Android<https://aka.ms/AAb9ysg>
________________________________
From: pve-user <pve-user-bounces@lists.proxmox.com> on behalf of Eric Abreu <abreuer1521@gmail.com>
Sent: Tuesday, November 30, 2021 6:31:31 PM
To: Thomas Lamprecht <t.lamprecht@proxmox.com>
Cc: Proxmox VE user list <pve-user@lists.proxmox.com>
Subject: Re: [PVE-User] Where is ZFS encryption key in Proxmox 7.1

Hello Thomas,

I have repeated the following steps:

1 - Went to PVE Node/ ZFS/ Create ZFS/
2 - On the dialogue box name = my_pool, Add Storage (check), Select Devices
(2 x 1TB disks), RAID Level = Mirror, Compression = off, ashift = 12
3 - Hit Create
4 - Open the command line on my pve node and typed:
zpool get feature@encryption my_pool

And I got this as a response:

NAME     PROPERTY            VALUE               SOURCE
my_pool  feature@encryption  enabled             local

Does that mean encryption is enabled?

Thanks again.

On Tue, Nov 30, 2021 at 12:17 PM Eric Abreu <abreuer1521@gmail.com> wrote:

> Hi Thomas,
>
> Thanks for the quick response. I'm going to repeat the steps to create the
> ZFS pool from the web interface and paste them here. I'm pretty sure I did
> everything from the dashboard and the encryption was enabled by default.
> I'll keep you posted. Thanks again for your help.
>
> On Tue, Nov 30, 2021 at 3:37 AM Thomas Lamprecht <t.lamprecht@proxmox.com>
> wrote:
>
>> Hi,
>>
>> On 30.11.21 04:36, Eric Abreu wrote:
>> > I have created a ZFS pool from Proxmox 7.1 web interface with 2 SSDs in
>> > RAID 1. I noticed that everything works fine after I created the pool,
>> and
>> > ZFS at REST encryption was also enabled. After rebooting the server it
>> did
>> > not ask for a passphrase so my guess is that Proxmox is getting the key
>> > from somewhere in the file system. Anyone could help me find out where?
>>
>> Well, how did you enable ZFS at rest encryption? As that is something
>> that won't
>> be done automatically, and the local-storage web-interface/api currently
>> does not
>> allow to configure that either.
>>
>> cheers,
>> Thomas
>>
>>
_______________________________________________
pve-user mailing list
pve-user@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user

Re: [PVE-User] Where is ZFS encryption key in Proxmox 7.1

[Eric Abreu]

Ok. Thank you Adam.

On Tue, Nov 30, 2021, 9:58 PM Adam Thompson <athompso@athompso.net> wrote:

> No.  That means that the encryption *feature* is enabled, i.e. you may now
> proceed to encrypt your dataset... if you really want to find out exactly
> how that breaks things, I guess.
> If it came back as disabled, you would not be able to use encryption at
> all on that dataset.
> -Adam
>
> Get Outlook for Android<https://aka.ms/AAb9ysg>
> ________________________________
> From: pve-user <pve-user-bounces@lists.proxmox.com> on behalf of Eric
> Abreu <abreuer1521@gmail.com>
> Sent: Tuesday, November 30, 2021 6:31:31 PM
> To: Thomas Lamprecht <t.lamprecht@proxmox.com>
> Cc: Proxmox VE user list <pve-user@lists.proxmox.com>
> Subject: Re: [PVE-User] Where is ZFS encryption key in Proxmox 7.1
>
> Hello Thomas,
>
> I have repeated the following steps:
>
> 1 - Went to PVE Node/ ZFS/ Create ZFS/
> 2 - On the dialogue box name = my_pool, Add Storage (check), Select Devices
> (2 x 1TB disks), RAID Level = Mirror, Compression = off, ashift = 12
> 3 - Hit Create
> 4 - Open the command line on my pve node and typed:
> zpool get feature@encryption my_pool
>
> And I got this as a response:
>
> NAME     PROPERTY            VALUE               SOURCE
> my_pool  feature@encryption  enabled             local
>
> Does that mean encryption is enabled?
>
> Thanks again.
>
> On Tue, Nov 30, 2021 at 12:17 PM Eric Abreu <abreuer1521@gmail.com> wrote:
>
> > Hi Thomas,
> >
> > Thanks for the quick response. I'm going to repeat the steps to create
> the
> > ZFS pool from the web interface and paste them here. I'm pretty sure I
> did
> > everything from the dashboard and the encryption was enabled by default.
> > I'll keep you posted. Thanks again for your help.
> >
> > On Tue, Nov 30, 2021 at 3:37 AM Thomas Lamprecht <
> t.lamprecht@proxmox.com>
> > wrote:
> >
> >> Hi,
> >>
> >> On 30.11.21 04:36, Eric Abreu wrote:
> >> > I have created a ZFS pool from Proxmox 7.1 web interface with 2 SSDs
> in
> >> > RAID 1. I noticed that everything works fine after I created the pool,
> >> and
> >> > ZFS at REST encryption was also enabled. After rebooting the server it
> >> did
> >> > not ask for a passphrase so my guess is that Proxmox is getting the
> key
> >> > from somewhere in the file system. Anyone could help me find out
> where?
> >>
> >> Well, how did you enable ZFS at rest encryption? As that is something
> >> that won't
> >> be done automatically, and the local-storage web-interface/api currently
> >> does not
> >> allow to configure that either.
> >>
> >> cheers,
> >> Thomas
> >>
> >>
> _______________________________________________
> pve-user mailing list
> pve-user@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>
> _______________________________________________
> pve-user mailing list
> pve-user@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>
>