I’m trying to install Proxmox on a server that is going to be running Home Assistant, a security camera NVR setup and other sensitive data, I need to have the drives be encrypted with automatic decryption of drives so the VMs can automatically resume after a power failure.
- 2 Sata SSDs boot drives in a ZFS mirror
- 1 NVME SSD for L2ARC and VM storage
- 3 HDDs in a RAIDz1 for backups and general large storage
- 1 (maybe more added later) HDD for Camera NVR VM.
I’d prefer every drive encrypted with native ZFS encryption automatically decrypted by either TPM 2.0 or manually by a passphrase if needed as a backup.
I found a general guide on how to do something similar but it honestly went over my head (I’m still learning) and didn’t include much information about additional drives: Proxmox with Secure Boot and Native ZFS Encryption by u/m2noid
If someone could adapt that post into a more noob friendly guide for the latest Proxmox version, with directions for decryption of multiple drives, that would be amazing and I’m sure it would make an excellent addition to the Proxmox wiki
- 2 Sata SSDs boot drives in a ZFS mirror with LUKS encryption and automatic decryption with clevis.
- All other drives encrypted using ZFS native encryption with ZFS key (keys?) stored on LUKS boot drive partition.
With this arrangement, every drive could be encrypted at rest and decrypted on boot with native ZFS encryption on most drives but has the downsides of using LUKS on ZFS for the boot drives.
Is storing the ZFS keys in a LUKS partition insecure in some way? Would this result in undecryptable drives if something happened to ZFS keys on the boot drive or can they be also decrypted with a passphrase as a backup?
As it stands right now, I’m really stuck trying to figure this out so any help or well written guides are heavily appreciated. Thanks for reading!