Best way to have all my machines encrypted with ZFS encryption?

olegblecher · December 10, 2020, 11:10am

Hi there,

I’ve started encrypting all of my company’s data here with native ZFS encryption. I’m using passphrase as a keyformat. I’m also running LXD 3.0.3 with ZFS 0.8.5 on Ubuntu 18.

The next step is to start encrypting all the datasets with our virtual machines. I have 2 things in mind here:

How can I create a container via LXC on a ZFS-encrypted dataset? Would encrypting the parent (e.g tank/containers) be enough so that tank1/containers/my-machine be encrypted?
Does anyone have a good method for turning existing containers into encrypted ones? The best I could come up with was rsync the rootfs of the container to another, encrypted dataset, unmount the original one, and mount the encrypted one to the LXD container path.

Maybe some functionality has been added in newer versions? I couldn’t find anything in the documentation…

Thanks in advance!

stgraber · December 10, 2020, 3:31pm

Encrypting the parent and making sure it’s unlocked when LXD starts should be sufficient.

As far as I know, the only way you can turn things from unencrypted to encrypted is through send/receive. Either manually doing it one by one or you could create a new ZFS pool in LXD, make that one encrypted and then use lxc move to move containers over one by one.

Ozymandias · December 11, 2020, 8:12am

There is very little point in encrypting the container images as you can allways access them via the lxc file and lxc exec commands of the host machine.

On my compute nodes I encrypt the entire disk using LUKS (I’m using Ubuntu 20.04 Server). Then we have a TPM module on the motherboard which we seal in the encryption key which means they can reboot unattended. The TPM is keyed to secure boot which means the box is as physically secure as we can make it.

joostn · April 5, 2022, 9:23am

Hi, I’m trying to do this (setup an encrypted ZFS storage pool for LXD). But I’m in a clustered LXD and I can’t figure out how to do this. ZFS encryption cannot be enabled after the fact, so I have to setup a new dataset with encryption enabled and tell lxd to use it.

# zfs create -o encryption=on -o keylocation=prompt -o keyformat=passphrase rpool/lxd_encrypted
# lxc storage create zfsencrypted zfs source=rpool/lxd_encrypted

but the second command fails with this error:
Error: Config key "source" is node-specific

Any ideas?

BTW I may be confused, but an ‘lxd pool’ is actually a ‘zfs dataset’ (not a pool), right?

joostn · April 5, 2022, 9:33am

Update, I think this works!

lxc storage create zfsencrypted zfs source=rpool/lxd_encrypted --target <node1>
lxc storage create zfsencrypted zfs source=rpool/lxd_encrypted --target <node2>
lxc storage create zfsencrypted zfs source=rpool/lxd_encrypted --target <node3>
lxc storage create zfsencrypted zfs

tomp · April 5, 2022, 9:34am

Yes that is the correct way to create a storage pool in a cluster.