Setting up Encrypted Proxmox Server

Background

When I first started selfhosting, I used to host everything barebones with docker containers because I knew that my old Fujitsu laptop with 8GB ram and 4 cores would not be able to handle a hypervisor or VM. However, now that I have a Dell Optiplex with 6 core and slotted in 32GB of RAM, I was ready to try the VMs with Proxmox.

First I looked into the Proxmox and realized that it natively does not support booting from encrypted drive and has no option for me to do so during the installation. Hence, I needed install Debian first and install proxmox from debian.

Installing and running Debian

I first downloaded the latest ISO from their site and then flashed it into a usb using Balena Etcher. Then I booted into my Setup Menu on the Optiplex by repeatedly pressing "F12" at boot. I chose the USB option and loaded the installer.

My first try did not work it gave this error:

Verifying shim SBAT data failed: Security Policy Violation Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation

Turns out I forgot to disable secure boot from my BIOS. So I restarted again, pressing F2 to get into BIOS. Next I clicked on Secure Boot -> Enable Secure Boot and deselected it. Now I boot it back up, select my USB and now this time, the Debian Installer runs.

Here, I chose Install option as the Graphical Installation is only if you want to use it as GUI. I filled out most stuff appropriately and when it was time to choose the boot drive I chose the option: Manual this lets me create everything manually.

I first created my unencrypted partition which are the boot and EFI. If you don't create the EFI partition you would have to go do the extra step of going through BIOS and checking "Allow Legacy Boot". Here's the encrypted and unencrypted partitions:

• 500 MB - EFI (EPS)

• 1.5 GB - /boot (this is ext2)

• 8GB - swap (but choose physical volume for encryption)

• Rest - / (choose physical volume for encryption)

After selecting them, click on configure encrypted volumes. This will save your partitions and now you will have to choose which volumes to encrypt.

1. Select Configure encrypted volumes.

2. Click on Create encrypted volume

3. In this area, select your partition to encrypt, they are written shown as "crypto"

4. Click on Continue and Finish

5. Confirm that you are really encrypting and erasing data

6. Now wait for your drives to be overwritten with random data to prevent information leaks. It can be cancelled but for maximum security its better to wait for it. Depending how big your boot drive is it can take a while.

7. Next you will have to encrypt them with the strong and secure passphrase keep in mind that you will not have any chance to recover the data if you lose the passphrase so keep it safe!

8. Now you're back to partition screen agian.

This time, there should be volumes under LUKs encrypted volume. Designate your root volume and swap volumes. Now click Finish to complete. Continue your setup and the rest should be pretty straight forward.

Installing Proxmox on Debian

Just follow the exact commands on this site:

Install Proxmox VE on Debian 12 Bookworm - Proxmox VEpve.proxmox.com

After that go and change your repos for updating and upgrading

nano /etc/apt/sources.list.d/pve-enterprise.list

# deb https://enterprise.proxmox.com/debian/pve bookworm pve-enterprise
deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription

Comment out the first line pve-enterprise and add the second line. Next go and do the same for your ceph.list

nano /etc/apt/sources.list.d/ceph.list

#deb https://enterprise.proxmox.com/debian/ceph-quincy bookworm enterprise
deb http://download.proxmox.com/debian/ceph-quincy bookworm no-subscription

Comment out the first line and add the second line. If you don't have the ceph.list file, create it and add the second line. Next, if there's a file called pve-install-repo.list delete it as it's no longer needed. Now your proxmox is ready and rolling!