 |
Native ZFS encryption in Proxmox VE is experimental. Known limitations and issues include Replication with encrypted datasets , as well as checksum errors when using Snapshots or ZVOLs. |
ZFS on Linux version 0.8.0 introduced support for native encryption of
datasets. After an upgrade from previous ZFS on Linux versions, the encryption
feature can be enabled per pool:
# zpool get feature@encryption tank NAME PROPERTY VALUE SOURCE tank feature@encryption disabled local # zpool set feature@encryption=enabled # zpool get feature@encryption tank NAME PROPERTY VALUE SOURCE tank feature@encryption enabled local
|
|
There is currently no support for booting from pools with encrypted datasets using GRUB, and only limited support for automatically unlocking encrypted datasets on boot. Older versions of ZFS without encryption support will not be able to decrypt stored data. |
 |
It is recommended to either unlock storage datasets manually after booting, or writing a custom unit to pass the key material needed for unlocking on boot to zfs load-key. |
|
|
Establish and test a backup procedure before enabling encryption of production data. If the associated key material/passphrase/key file has been lost, accessing the encrypted data is no longer possible. |
Encryption needs to be set up when creating datasets/zvols, and is inherited by
default to child datasets. For example, to create an encrypted dataset
tank/encrypted_data and configure it as storage in Proxmox VE, run the following
commands:
# zfs create -o encryption=on -o keyformat=passphrase tank/encrypted_data Enter passphrase: Re-enter passphrase: # pvesm add zfspool encrypted_zfs -pool tank/encrypted_data
All guest volumes/disks create on this storage will be encrypted with the
shared key material of the parent dataset.
To actually use the storage, the associated key material needs to be loaded
and the dataset needs to be mounted. This can be done in one step with:
# zfs mount -l tank/encrypted_data Enter passphrase for 'tank/encrypted_data':
It is also possible to use a (random) keyfile instead of prompting for a
passphrase by setting the keylocation and key format properties, either at
creation time or with zfs change-key on existing datasets:
# dd if=/dev/urandom of=/path/to/keyfile bs=32 count=1 # zfs change-key -o keyformat=raw -o keylocation=file:///path/to/keyfile tank/encrypted_data
|
|
When using a keyfile, special care needs to be taken to secure the keyfile against unauthorized access or accidental loss. Without the keyfile, it is not possible to access the plaintext data! |
A guest volume created underneath an encrypted dataset will have its
encryption-root property set accordingly. The key material only needs to be
loaded once per encryptionroot to be available to all encrypted datasets
underneath it.
See the encryptionroot, encryption, keylocation, keyformat and
keystatus properties, the zfs load-key, zfs unload-key and zfs
change-key commands and the Encryption section from man zfs for more
details and advanced usage.
Native ZFS encryption in Proxmox VE is experimental. Known limitations and
issues include Replication with encrypted datasets
,
as well as checksum errors when using Snapshots or ZVOLs.
ZFS on Linux version 0.8.0 introduced support for native encryption of
datasets. After an upgrade from previous ZFS on Linux versions, the encryption
feature can be enabled per pool:
# zpool get feature@encryption tank
NAME PROPERTY VALUE SOURCE
tank feature@encryption disabled local
# zpool set feature@encryption=enabled
# zpool get feature@encryption tank
NAME PROPERTY VALUE SOURCE
tank feature@encryption enabled local
There is currently no support for booting from pools with encrypted
datasets using GRUB, and only limited support for automatically unlocking
encrypted datasets on boot. Older versions of ZFS without encryption support
will not be able to decrypt stored data.
It is recommended to either unlock storage datasets manually after
booting, or to write a custom unit to pass the key material needed for
unlocking on boot to zfs load-key.
Establish and test a backup procedure before enabling encryption of
production data. If the associated key material/passphrase/keyfile has been
lost, accessing the encrypted data is no longer possible.
Encryption needs to be setup when creating datasets/zvols, and is inherited by
default to child datasets. For example, to create an encrypted dataset
tank/encrypted_data and configure it as storage in Proxmox VE, run the following
commands:
# zfs create -o encryption=on -o keyformat=passphrase tank/encrypted_data
Enter passphrase:
Re-enter passphrase:
# pvesm add zfspool encrypted_zfs -pool tank/encrypted_data
All guest volumes/disks create on this storage will be encrypted with the
shared key material of the parent dataset.
To actually use the storage, the associated key material needs to be loaded
and the dataset needs to be mounted. This can be done in one step with:
# zfs mount -l tank/encrypted_data
Enter passphrase for ‘tank/encrypted_data’:
It is also possible to use a (random) keyfile instead of prompting for a
passphrase by setting the keylocation and keyformat properties, either at
creation time or with zfs change-key on existing datasets:
# dd if=/dev/urandom of=/path/to/keyfile bs=32 count=1
# zfs change-key -o keyformat=raw -o keylocation=file:///path/to/keyfile tank/encrypted_data
When using a keyfile, special care needs to be taken to secure the
keyfile against unauthorized access or accidental loss. Without the keyfile, it
is not possible to access the plaintext data!
A guest volume created underneath an encrypted dataset will have its
encryptionroot property set accordingly. The key material only needs to be
loaded once per encryptionroot to be available to all encrypted datasets
underneath it.
See the encryptionroot, encryption, keylocation, keyformat and
keystatus properties, the zfs load-key, zfs unload-key and zfs
change-key commands and the Encryption section from man zfs for more
details and advanced usage.
