Proxmox Full Disk Encryption using LUKS

I really like encrypting data at rest. I think it’s great that macOS and Windows support that. If someone steals your device, It makes it impossible for them to abuse the data stored there.

I wanted to have that for my homelab as well.

Proxmox doesn’t support that using their default installer. Thankfully, there’s a lot of information on this on the interwebs. However, I wanted to aggregate some of that for future self-reference.

This assumes a fresh setup. There are ways to do it on existing installations, but I think it’s cleaner to do it fresh. Also, that way one gets to experience how breezy a backup/restore cycle can be - but I digress. Focus:

1. One has to first set up Debian. So, download the latest Debian version supported by Proxmox (at the time of this writing that’s 12 - Bookworm).

2. Burn the ISO to a USB drive, as shown in my TIL.

3. Boot from that USB drive and run through the installer. Most defaults are sensible. When asked about disk storage, choose the “encrypted LVM” option.

   I kept the default storage layout as well.

4. Remove the drive and boot into your fresh Debian installation, doing your first disk unlocking! Wowzah!

5. I then set up Dropbear, so I can unlock the disk via SSH. The link is for my Ubuntu notes on that, but I’ve found them to work on Debian as well (they share a basis after all).

6. Once that works, run through the official Proxmox Debian Setup steps.

7. I then like to run this popular Proxmox post-install script.

That’s it. Now, one can restore the VMs from their backups. In my case, it wasn’t straightforward via the UI, because I didn’t configure any LVM-Thin storage this time around. Luckily, one can restore into different storage.