Skip to content

Commit c508504

Browse files
TommyTran732TommyTran732
committed
Better ZFS properties
Signed-off-by: Tommy <[email protected]>
1 parent 281f43e commit c508504

File tree

1 file changed

+12
-7
lines changed

1 file changed

+12
-7
lines changed

content/posts/linux/Using Native ZFS Encryption with Proxmox.md

Lines changed: 12 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ Load in the `zfs` kernel module:
2525
modprobe zfs
2626
```
2727

28-
Next, follow [this gist](https://gist.github.com/yvesh/ae77a68414484c8c79da03c4a4f6fd55) to encrypt the dataset. You do not need to use any sort of live USB or rescue mode, as the initramfs has all what we need. In case it gets moved or deleted, I will copy and paste it here:
28+
Next, follow [this gist](https://gist.github.com/yvesh/ae77a68414484c8c79da03c4a4f6fd55) to encrypt the dataset. You do not need to use any sort of live USB or rescue mode, as the initramfs has all what we need. In case it gets moved or deleted, I will copy and paste it here (we will make a few changes to better suite our purposes as well):
2929

3030
```sh
3131
# Import the old
@@ -40,9 +40,12 @@ zfs send -R rpool/ROOT@copy | zfs receive rpool/copyroot
4040
# Destroy the old unencrypted root
4141
zfs destroy -r rpool/ROOT
4242

43+
# Set better ZFS properties
44+
zpool set autoexpand=on autotrim=on failmode=wait rpool
45+
4346
# Create a new zfs root, with encryption turned on
4447
# OR -o encryption=aes-256-gcm - aes-256-ccm vs aes-256-gcm
45-
zfs create -o encryption=on -o keyformat=passphrase rpool/ROOT
48+
zfs create -o acltype=posix -o atime=off -o compression=zstd-3 -o checksum=blake3 -o dnodesize=auto -o encryption=on -o keyformat=passphrase -o overlay=off -o xattr=sa rpool/ROOT
4649

4750
# Copy the files from the copy to the new encrypted zfs root
4851
zfs send -R rpool/copyroot/pve-1@copy | zfs receive -o encryption=on rpool/ROOT/pve-1
@@ -67,15 +70,17 @@ reboot -f
6770

6871
Next, we need to encrypt the `rpool/data` dataset. This is where Proxmox stores virtual machine disks.
6972

70-
Note that the encryption key will be stored inside of the `rpool/ROOT` dataset. Since `rpool/ROOT` is already encrypted, we can safely store it there. The key also has to be exactly 32 bytes.
71-
7273

7374
```bash
7475
# Destroy the original dataset
7576
zfs destroy -r rpool/data
77+
```
7678

77-
# Create a new encryption key
78-
dd if=/dev/random bs=32 count=1 of=/.data.key
79+
Create a diceware passphrase, and save it to `/.data.key`. Then, continue with:
80+
81+
```bash
82+
# Remove all but ASCII characters
83+
perl -i -pe 's/[^ -~]//g' /.data.key
7984

8085
# Set the approprieate permission
8186
chmod 400 /.data.key
@@ -84,7 +89,7 @@ chmod 400 /.data.key
8489
chattr +i /.data.key
8590

8691
# Create a new dataset with encryption enabled
87-
zfs create -o encryption=on -o keylocation=file:///.data.key -o keyformat=raw rpool/data
92+
zfs create acltype=posix -o atime=off -o compression=zstd-3 -o checksum=blake3 -o dnodesize=auto -o encryption=on -o keyformat=passphrase -o keylocation=file:///.data.key -o overlay=off -o xattr=sa rpool/data
8893
```
8994

9095
Next, we need to setup a systemd service for automatic unlocking. Put the following inside of `/etc/systemd/system/zfs-load-key.service`

0 commit comments

Comments
 (0)