Skip to content

Instantly share code, notes, and snippets.

@mallendeo

mallendeo/README.md

Last active November 10, 2024 22:57
Show Gist options
  • Save mallendeo/4b18ca4caecb299214008d4225274ea7 to your computer and use it in GitHub Desktop.
Save mallendeo/4b18ca4caecb299214008d4225274ea7 to your computer and use it in GitHub Desktop.
Download ZIP
Create a ZFS encrypted dataset in Proxmox
Raw
README.md

Create a ZFS encrypted dataset in Proxmox

Create encrypted dataset

zfs create rpool/safe -o encryption=on -o keyformat=passphrase

All children datasets of an encrypted dataset are also encrypted by default

zfs create rpool/safe/backups

If you use this encrypted dataset as storage in Proxmox (e.g vzdump, images), you must unlock after boot (via SSH):

zfs load-key rpool/safe
zfs mount rpool/safe # you may need this if it's not automatically mounted

If you don't, you may create files on the mountpoint directory and leak data (e.g automatic VM backups). To prevent Proxmox from creating files on an unmounted ZFS dataset run:

## RUN THESE COMMANDS ONCE AND WHEN THE ZFS DATASET IS NOT UNLOCKED/MOUNTED !!!
chmod a-w -R /rpool/safe
chattr +i -R /rpool/safe

Also do it every reboot: crontab -e

@reboot d=/rpool/safe; chmod a-w -R $d; chattr +i -R $d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment