[PVE-User] VM encryption and high availability

Discussion:

Martin LEUSCH

2018-10-05 14:55:49 UTC

Hi,

I have a Proxmox cluster and use LVM over iSCSI as storage. As I didn't
own the iSCSI server, I plane to encrypt some disk image to increase
confidentiality.

Firstly, I didn't found a way to encrypt iSCSI target or LVM logical
volume and use them in Proxmox, is there a way to achieve that? What
about ZFS over iSCSI or other configuration?

An other way is to encrypt data at the guest OS level by using LUKS for
data partition for example but my VMs need to start without any manual
action to keep high availability on my VMs. Are there any tools that can
help to keep LUKS keys in secure location?

Any other suggestion to do encryption with Proxmox?

Sincerely,
Martin

Alex Chekholko

2018-10-05 17:35:47 UTC

Permalink

Hi,

I obviously have not tried it, but if you compile a pre-release version of
ZFS on Linux with the encryption support, then from the point of view of
PVE it should be a regular ZFS pool with regular zvols and the encryption
key will only be in the memory of your PVE server and the owner of the
iscsi storage will not be able to decrypt the data.

slightly out of date example:
https://blog.heckel.xyz/2017/01/08/zfs-encryption-openzfs-zfs-on-linux/

I think you'd start with compiling the 0.8.0 rc1:
https://github.com/zfsonlinux/zfs/tree/zfs-0.8.0-rc1

Regards,
Alex

Post by Martin LEUSCH
Hi,
I have a Proxmox cluster and use LVM over iSCSI as storage. As I didn't
own the iSCSI server, I plane to encrypt some disk image to increase
confidentiality.
Firstly, I didn't found a way to encrypt iSCSI target or LVM logical
volume and use them in Proxmox, is there a way to achieve that? What
about ZFS over iSCSI or other configuration?
An other way is to encrypt data at the guest OS level by using LUKS for
data partition for example but my VMs need to start without any manual
action to keep high availability on my VMs. Are there any tools that can
help to keep LUKS keys in secure location?
Any other suggestion to do encryption with Proxmox?
Sincerely,
Martin
_______________________________________________
pve-user mailing list
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

Daniel Berteaud

2018-10-08 06:30:17 UTC

Permalink

You can, this is what I use. Just declare your iSCSI volume, but don't
use it yet. Create a LUKS volume on it (just on one node):

cryptsetup luksFormat /dev/sdc

[...]

Then open your new LUKS device:

cryptsetup open --type=luks /dev/sdc clear

Now you can use /dev/mapper/clear as LVM (pvcreate && vgcreate on one
node before using it).

Now, when you reboot one of your node, you just have to unlock the
device with

cryptsetup open --type=luks /dev/sdc clear

Before you can access the data
--
Logo FWS

*Daniel Berteaud*

FIREWALL-SERVICES SAS.
Société de Services en Logiciels Libres
Tel : 05 56 64 15 32
Matrix: @dani:fws.fr
/www.firewall-services.com/

Alexandre DERUMIER

2018-10-08 06:50:47 UTC

Permalink

Hi,

It's also possible to manage luks encryption at qemu level

I have an opened bugzilla about this, but don't have time yet to work on it
https://bugzilla.proxmox.com/show_bug.cgi?id=1894

Advantage is that it's could work with any storage

----- Mail original -----
De: "Daniel Berteaud" <***@firewall-services.com>
À: "proxmoxve" <pve-***@pve.proxmox.com>
Envoyé: Lundi 8 Octobre 2018 08:30:17
Objet: Re: [PVE-User] VM encryption and high availability

Daniel Berteaud

2018-10-08 06:53:08 UTC

Permalink

Post by Alexandre DERUMIER
Hi,
It's also possible to manage luks encryption at qemu level
I have an opened bugzilla about this, but don't have time yet to work on it
https://bugzilla.proxmox.com/show_bug.cgi?id=1894
Advantage is that it's could work with any storage

That's be even better indeed !

Wasn't aware of that

++
--
Logo FWS

*Daniel Berteaud*

FIREWALL-SERVICES SAS.
Société de Services en Logiciels Libres
Tel : 05 56 64 15 32
Matrix: @dani:fws.fr
/www.firewall-services.com/