Skip to main content

Proxmox Cookbook

Proxmox comes out of the box with some very useful programs such as OpenZFS, LXD and of course KVM. Starting off with the correct settings is quite important though, especially when it comes to those that cannot be changed after installation, such as a zpool's ashift parameter.

Installing the OS

There are two different ways of installing Proxmox; either install on top of Debian or directly from the Proxmox ISO. Installing on top of Debian allows for customizing the partition layout of the OS, as the Proxmox installer only provides a full-guided installer. That being said, if you are wanting to take advantage of features such as ZFS on root, the Proxmox installer can do this for you.

Root Encryption

EXT4 on top of LUKS is presented as an option when installing Debian. However, what if you wanted your root as an native encrypted ZFS dataset? Well, thanks to  systemd-boot, you can! The Proxmox ISO automatically installs Proxmox using systemd-boot as the boot loader, which itself automatically detects whether or not the root dataset uses ZFS native encryption or not.

To achieve this, all that needs to be done is install Proxmox on ZFS using the guided installer:

Proxmox Installer ZFS Options

Then,

  1. Create a copy the unencrypted root dataset
  2. Delete the original unencrypted dataset
  3. Create a new encrypted dataset in place of the original dataset
  4. Copy the files into the new encrypted dataset
# Import the old 
zpool import -f rpool

# Make a snapshot of the current one
zfs snapshot -r rpool/ROOT@copy

# Send the snapshot to a temporary root
zfs send -R rpool/ROOT@copy | zfs receive rpool/copyroot

# Destroy the old unencrypted root
zfs destroy -r rpool/ROOT

# Create a new zfs root, with encryption turned on
# OR -o encryption=aes-256-gcm - aes-256-ccm vs aes-256-gcm
zfs create -o encryption=on -o keyformat=passphrase rpool/ROOT

# Copy the files from the copy to the new encrypted zfs root
zfs send -R rpool/copyroot/pve-1@copy | zfs receive -o encryption=on rpool/ROOT/pve-1

# Set the Mountpoint
zfs set mountpoint=/ rpool/ROOT/pve-1

# Delete the old unencrypted copy
zfs destroy -r rpool/copyroot

# Export the pool again, so you can boot from it
zpool export rpool

Source

Note: this is also where you would want to set other ZFS options such as encryption or blocksize.

After Installing Proxmox

After installing Proxmox, it's probably a good idea to do the things that you are probably familiar with when installing a new server OS (updating the system, turning off ssh passwords). 

Cheers! If you're curious, you can take a peek at how to handle VM Storage.

Back to top