Some input on crypttab and others

[wrobelda]

Hi,

Crypttab is used for non-root partitions only. For root partition, Proxmox uses dracut and kernel/cmdline, as you also instruct to adjust. Actually, neither of that is true, and Clevis in particular needs crypttab.

Additionally, you can find the UUID of LUKS partitions easily with blkid | grep crypto_LUKS, instead lsblk -o NAME,PATH,UUID,WWN,MOUNTPOINTS,FSTYPE,LABEL,MODEL,SERIAL | grep -v "/dev/zd" etc.

You also somewhat misleadingly ask to "Get the UUID's of the encrypted partitions". This could suggest to find the UUID of the nested ZFS partitions, which would be wrong.

That having said, I appreciate the guide a lot! Thanks!

[mr-manuel]

Thanks for the feedback!

[wrobelda]

Sure! Oh, and also two more things: your cmdline instruction uses /dev/ style addressing instead UUID, and discard for LUKS2 is enabled using cryptsetup , not mount options: https://wiki.archlinux.org/title/Dm-crypt/Specialties#LUKS2

[mr-manuel]

I changed it now to use UUID, thanks.

... discard for LUKS2 is enabled using cryptsetup

If I check with lsblk --discard the LUKS partition is shown, so discard is correctly enabled.You see any other problem with it?

[wrobelda]

Yeah, I think you're right on that one.

[wrobelda]

Oh, and one more thing: I would suggest to first encrypt only one of the devices in RAID, not all of them, then setup cmdline and optionally clevis (e.g. with TPM) for that device and reboot the system to see if everything works. If there's any issue, everything is easily reversible at this point still.

[mr-manuel]

Works only for RAID1

[wrobelda]

That's true, actually. Still I think it's worth mentioning, it might save someone some trouble.

[wrobelda]

Lastly, I would rather suggest prepending to /etc/kernel/cmdline instead of replacing the file:
printf "cryptdevice=UUID:identifier $(cat /etc/kernel/cmdline)\n" > /etc/kernel/cmdline

[mr-manuel]

I changed that now

[wrobelda]

Aaand one more suggestion: anyone attempting this should do a complete ZFS scrub to make sure any errors are fixed first before one of the copies is taken offline. Unfortunately, I didn't and as I was resilvering the disk, some permanent errors showed up. I was able to restore those files from backups, but it's still something that could be avoided with full scrubbing.

[mr-manuel]

I added a step to run scrub before the a vdev is taken offline, thanks!

[wrobelda]

Two more things I noticed:

1. Using keyctl comes with some security caveats: https://cryptsetup-team.pages.debian.net/cryptsetup/README.keyctl.html . Since it only makes sense for those who type in LUKS password manually at boot time, I think it would be best to mention that it's not needed otherwise, but also mention the extra security measures required for those who do type the pass.
2. You're not adding the cryptdevice=UUID= entries to /etc/kernel/cmdline. I do and I can't remember why was that needed on my end. Is this something you know of, by chance?

[mr-manuel]

For point 2 I had that in the README, but it was useless, since this is not needed for Debian.

[wrobelda]

Indeed, just removed it and system boots fine. I assume it's because cryptsetup-initramfs takes care of it by including the /etc/crypttab in initrd.

[mr-manuel]

Passphrase is piped between processes and could end up in unsecured memory, thus later swapped to disk! => Use of cryptoswap recommend!

As per default Proxmox installation there is no SWAP, so not an issue here.