Discussion:
[PVE-User] VM encryption and high availability
Martin LEUSCH
2018-10-05 14:55:49 UTC
Permalink
Hi,

I have a Proxmox cluster and use LVM over iSCSI as storage. As I didn't
own the iSCSI server, I plane to encrypt some disk image to increase
confidentiality.

Firstly, I didn't found a way to encrypt iSCSI target or LVM logical
volume and use them in Proxmox, is there a way to achieve that? What
about ZFS over iSCSI or other configuration?

An other way is to encrypt data at the guest OS level by using LUKS for
data partition for example but my VMs need to start without any manual
action to keep high availability on my VMs. Are there any tools that can
help to keep LUKS keys in secure location?

Any other suggestion to do encryption with Proxmox?

Sincerely,
Martin
Alex Chekholko
2018-10-05 17:35:47 UTC
Permalink
Hi,

I obviously have not tried it, but if you compile a pre-release version of
ZFS on Linux with the encryption support, then from the point of view of
PVE it should be a regular ZFS pool with regular zvols and the encryption
key will only be in the memory of your PVE server and the owner of the
iscsi storage will not be able to decrypt the data.

slightly out of date example:
https://blog.heckel.xyz/2017/01/08/zfs-encryption-openzfs-zfs-on-linux/

I think you'd start with compiling the 0.8.0 rc1:
https://github.com/zfsonlinux/zfs/tree/zfs-0.8.0-rc1

Regards,
Alex
Post by Martin LEUSCH
Hi,
I have a Proxmox cluster and use LVM over iSCSI as storage. As I didn't
own the iSCSI server, I plane to encrypt some disk image to increase
confidentiality.
Firstly, I didn't found a way to encrypt iSCSI target or LVM logical
volume and use them in Proxmox, is there a way to achieve that? What
about ZFS over iSCSI or other configuration?
An other way is to encrypt data at the guest OS level by using LUKS for
data partition for example but my VMs need to start without any manual
action to keep high availability on my VMs. Are there any tools that can
help to keep LUKS keys in secure location?
Any other suggestion to do encryption with Proxmox?
Sincerely,
Martin
_______________________________________________
pve-user mailing list
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
Daniel Berteaud
2018-10-08 06:30:17 UTC
Permalink
Post by Martin LEUSCH
Hi,
I have a Proxmox cluster and use LVM over iSCSI as storage. As I
didn't own the iSCSI server, I plane to encrypt some disk image to
increase confidentiality.
Firstly, I didn't found a way to encrypt iSCSI target or LVM logical
volume and use them in Proxmox, is there a way to achieve that?
You can, this is what I use. Just declare your iSCSI volume, but don't
use it yet. Create a LUKS volume on it (just on one node):


cryptsetup luksFormat /dev/sdc

[...]


Then open your new LUKS device:


cryptsetup open --type=luks /dev/sdc clear


Now you can use /dev/mapper/clear as LVM (pvcreate && vgcreate on one
node before using it).


Now, when you reboot one of your node, you just have to unlock the
device with


cryptsetup open --type=luks /dev/sdc clear


Before you can access the data
--
Logo FWS

*Daniel Berteaud*

FIREWALL-SERVICES SAS.
Société de Services en Logiciels Libres
Tel : 05 56 64 15 32
Matrix: @dani:fws.fr
/www.firewall-services.com/
Alexandre DERUMIER
2018-10-08 06:50:47 UTC
Permalink
Hi,

It's also possible to manage luks encryption at qemu level

I have an opened bugzilla about this, but don't have time yet to work on it
https://bugzilla.proxmox.com/show_bug.cgi?id=1894

Advantage is that it's could work with any storage

----- Mail original -----
De: "Daniel Berteaud" <***@firewall-services.com>
À: "proxmoxve" <pve-***@pve.proxmox.com>
Envoyé: Lundi 8 Octobre 2018 08:30:17
Objet: Re: [PVE-User] VM encryption and high availability
Post by Martin LEUSCH
Hi,
I have a Proxmox cluster and use LVM over iSCSI as storage. As I
didn't own the iSCSI server, I plane to encrypt some disk image to
increase confidentiality.
Firstly, I didn't found a way to encrypt iSCSI target or LVM logical
volume and use them in Proxmox, is there a way to achieve that?
You can, this is what I use. Just declare your iSCSI volume, but don't
use it yet. Create a LUKS volume on it (just on one node):


cryptsetup luksFormat /dev/sdc

[...]


Then open your new LUKS device:


cryptsetup open --type=luks /dev/sdc clear


Now you can use /dev/mapper/clear as LVM (pvcreate && vgcreate on one
node before using it).


Now, when you reboot one of your node, you just have to unlock the
device with


cryptsetup open --type=luks /dev/sdc clear


Before you can access the data
--
Logo FWS

*Daniel Berteaud*

FIREWALL-SERVICES SAS.
Société de Services en Logiciels Libres
Tel : 05 56 64 15 32
Matrix: @dani:fws.fr
/www.firewall-services.com/

_______________________________________________
pve-user mailing list
pve-***@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
Daniel Berteaud
2018-10-08 06:53:08 UTC
Permalink
Post by Alexandre DERUMIER
Hi,
It's also possible to manage luks encryption at qemu level
I have an opened bugzilla about this, but don't have time yet to work on it
https://bugzilla.proxmox.com/show_bug.cgi?id=1894
Advantage is that it's could work with any storage
That's be even better indeed !

Wasn't aware of that


++
--
Logo FWS

*Daniel Berteaud*

FIREWALL-SERVICES SAS.
Société de Services en Logiciels Libres
Tel : 05 56 64 15 32
Matrix: @dani:fws.fr
/www.firewall-services.com/
Continue reading on narkive:
Search results for '[PVE-User] VM encryption and high availability' (Questions and Answers)
4
replies
acessing cached pages?
started 2006-07-07 05:56:14 UTC
computers & internet
Loading...