Background: I’d like to turn an old personal laptop into a Jellyfin server so that I can stream media to my living room TV. I want to be able to expand what I use this server for over time. I’m leaning toward Proxmox as the OS so that I can spin up new containers for various services instead of installing a bunch of services on a base Debian install. I also want full disk encryption so that any data on the OS drive is less likely to be compromised by theft or Craigslist.
Question #1: I gather the general accepted approach for this is to first install Debian as a base w/ full disk encryption enabled and then install Proxmox on top because there is no option for full disk encryption in the native installer for Proxmox. Is this still the case?
Excerpt from this tutorial from November 2023 on the Proxmox Forum:
This tutorial deals with encryption of an existing installation. If you are starting fresh, my recommendation would be to install Debian with full disk encryption and then add Proxmox to it.
Excerpt from this post from February 2019 on the Level1Techs Forum:
The easiest way to do an encrypted Proxmox setup is to start with a minimal, vanilla Debian install. Set up the encrypted partition using the installer like you would with any other Debian system. Once installed, reboot. Then follow the guide for installing Proxmox on Debian.
Question #2: I don’t mind entering the key manually whenever I reboot the server, but will I be able to unlock the server remotely? For example, suppose I’m tinkering in the web admin panel or an SSH session and I want/need to reboot—will I have to physically go over to the laptop and enter the key every time?
Also, I appreciate any other tips from the community to help me think about this in the right way. Thanks!
I used to do this. Didn’t know the tutorial but used this part of the documentation: https://pve.proxmox.com/wiki/Installation
I switched to have an unencrypted proxmox partition and have all VM disks on an encrypted partition, mostly to have reboot working.
I have a luks encrypted proxmox machine.
And the easiest way i found to do it was to install debian with full disk encryption and then doing some magic to swap the kernel from debian to proxmox.
Or that’s what i think i did at least. I’m no linux magician, i just use it.
On another server i use dropbear to unlock LUKS over ssh. Those two things should be easy to combine.
I took meticulous notes, so i should be able to give you some direction to go if you need some help and can’t find a decent guide out there.You swapped the kernel? I guess I’ll find out soon enough when I attempt my setup, but as I gather up the motivation to dive in, I’m assuming it will be as simple as installing a proxmox package or something. I guess I should re-read the guides. 🤣
That would be dope if you wouldn’t mind sharing your notes. There’s a decent amount of documentation out there already, but I often find it extremely valuable to read different people’s perspectives from real life experience in addition to the official guides. No pressure. Either way, thanks for chiming in!
It took some time as i had to find a moment to translate my notes.
I did my best with formatting but for some reason new paragraphs aren’t a thing i can get working in an untiered list in a lemmy comment 🤷
I presume some basic knowledge of linux and how to install an OS on a machine, but i’ve tried to add every single step with commands.
If anybody knows an easier way or have any comments regarding this, feel free to educate me.Here is the way i installed it:
Switching the kernel:
- Install default debian bookworm without desktop environment, but with “standard systems utilities” and “ssh server”
- Don’t forget to LUKS it, or else you could have just used the proxmox iso 😉
- SSH server could probably be omitted if everything is done directly on the machine, but i wanted it so i could copy/paste commands
- Boot and log in as root
- Check /etc/hosts and change the ip in front of the hostname to the static ip of the machine
- Check with
hostname --ip-address, it should return the ip-address - Add proxmox repo with
echo "deb [arch=amd64] http://download.proxmox.com/debian/pve bookworm pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list - Add proxmox key with
wget https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg - Run
apt update && apt full-upgrade - Install proxmox kernel with
apt install proxmox-default-kernel - Restart with
systemctl reboot - NOTE: The machine will boot and get stuck on loading initial ramdisk, type in the LUKS key and press enter despite not getting a prompt
Installing the packages
- Install Proxmox packages with
apt install proxmox-ve postfix open-iscsi chrony- Postfix needs to be configured, if no mailserver choose local only and let system name stay as default
- Remove debian kernel with
apt remove linux-image-amd64 'linux-image-6.1 - Update and check grub config with
update-grub- Seems redundant, because i think it does this by it self when running the command above
- If proxmox is the only OS, remove os-proper with
apt remove os-prober- This gave me an error about it not being empty, but it fixed itselv after a reboot
- I think a reboot is needed here, but i honestly don’t remember. If in doubt run
systemctl reboot
Adding SSH access for root user
It’s easier to copy/paste commands, this requires SSH access to the server
This can be done at any point. I did it as soon as i installed debian, and then removed it as i booted into proxmox- Edit /etc/ssh/sshd_config with
nano /etc/ssh/sshd_config - Around line 32 find #PermitRootLogin without-password and make en new line below it and write
PermitRootLogin yes.- The commented line can be edited but i find it easier to add the line as it needs to be removed again later
- Restart the SSH server with
/etc/init.d/ssh restart - When done with copy/pasting the commands it’s better to remove root SSH access again, this is done by removing the line that was added above
Removing debian user
This removes the user that was made as part of installing debian. It can probably be used, but i found it better to add all needed users once i got in to proxmox instead the[]of course needs to be changed out for the username you used when you installed debian.- Log in to the terminal as root
- Find the list of users with
grep ‘users’ /etc/group - Use
deluser [username]to remove the user
These notes are gold—thank you so much for sharing!
- Install default debian bookworm without desktop environment, but with “standard systems utilities” and “ssh server”
Another idea for you: if you use ZFS for the install, check Debian directions on OpenZFS or zfsbootmenu and you’ll get directions for an encrypted installation. You’ll be able to specify the path to a key file, which you can keep on a thumb drive. When the machine boots up, it’ll see the thumb drive and decrypt the zpool automatically; yank the thumb drive and it won’t (backup the key of course).
Thanks for the tip. I have no experience w/ ZFS, but I’ll keep this in mind in case I go that route. Thank you!
I think you can do the same with LUKS (https://www.cyberciti.biz/hardware/cryptsetup-add-enable-luks-disk-encryption-keyfile-linux/) if that’s your preferred route.
Good to know. Thanks!
Here is a more or less automated install for root on zfs. Need at least three hdds preferably in an hba and can withstand the loss of at least one drive.
https://github.com/Reddimes/ubuntu-zfsraid10/tree/debian-raidz1
There is also an Ubuntu ZFS RAID 10 branch.
You can use one of a few ways to use the TPM to auto decrypt on boot without passphrase. Systemd cryptenroll is my favorite.
I think when people want to remotely decrypt fde the usual advice is installing dropbear SSH to remotely enter the password. Sorry for not providing links but it should be easy to find.
If you have more than one server, running a tang server is super easy. Clevis can then be used to unlock a LUKS partition automatically on boot.
Thanks, I’ll look into dropbear. I’ve seen it mentioned in other posts, and with a quick search I found what appears to be a nice, solid guide: Full Disk Encryption Reboot with DropbearSSH. Thank you!
Any reason you need to encrypt the host OS information? I would assume anything interesting would be in the VM and you could probably have the VM encrypt it’s own storage.
Peace of mind.
I don’t understand why you’d install Debian before the hypervisor.
Edit: TiL thx for the replies. I legit didn’t know of these scenarios.
Proxmox is based on Debian, but its installer does not offer you as many options as the base Debian installer. People figured out you can just install debian with your prefered settings and then just slap the proxmox packages on top.
Because it says to do so?
Proxmox uses Debian as the OS and for several scenarios it says do Debian to get that done and just add the proxmox software. It’s managing qemu kvm on a deb managed kernel
I had to do it for my atom d2550s because of the odd hybrid x86/x86-64 systems they are. I had to install what ended up being linux mint debian edition 5 because that was the best way to get an OS on the odd bootloader system for various reasons, then upgraded to 6 to get to the latest debian, then I installed proxmox and removed all the debian stuff.
What do I do with something as weak as a pair of D2550s? Don’t you worry about that. I’ve found uses for both. :P
It’s an unusual use case, but it’s one reason you might need to install debian before proxmox.
