Skip to main content

Important notes

With these lines you can encrypt the ROOT dataset of Proxmox.

No need for a live linux!

During the process, the ROOT dataset will use twice the space.

This guide only handles the encryption of the ROOT dataset.

Not all Proxmox features work with encryption, use at own risk.

#Create new encrypted ROOT dataset:
zfs create -o encryption=on -o keyformat=passphrase rpool/ROOTenc
#Adjust kernel options to boot from encrypted ROOT
sed 's@/ROOT/@/ROOTenc/@g' -i /etc/kernel/cmdline
#Create snapshot and copy it to the encrypted dataset
zfs snapshot -r rpool/ROOT@forCopy
zfs send -R rpool/ROOT/pve-1@forCopy | zfs receive -o encryption=on rpool/ROOTenc/pve-1
#Update your efi
pve-efiboot-tool refresh

# —— REBOOT ——

# Now you should be asked for the passphrase

# Cleanup:
zfs destroy -r rpool/ROOT@forCopy
zfs destroy -r rpool/ROOTenc@forCopy
zfs destroy -R rpool/ROOT