PrivSec-dev/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2025-02-20 18:31:35 -05:00
Code

Partitioning

Browse Source
This commit is contained in:
Tommy 2024-02-01 01:14:19 -07:00 committed by GitHub
parent 9a4e2f3007
commit 2547d65533
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
content/posts/linux/Using TPM Unlock with Proxmox Encryption.md
View File

@ -1,3 +1,10 @@
---
title: "Using TPM unlock with Proxmox Encryption"
date: 2024-02-01
tags: ['Operating Systems', 'Linux', 'Security']
author: Tommy
---
# Using TPM unlock with Proxmox Encryption
Currently, the Proxmox installer does not support setting up encryption with ZFS. Previously, I have written on how to setup Proxmox with native ZFS encryption and remote unlock with Dropbear. Today, I will guide you through the process of setting it up with TPM unlock and Secure Boot.
@ -9,7 +16,9 @@ By the end of this guide, you will have:
Limitations:
- No rollback protection. This could theoratically be solved with [PCR Oracle](https://github.com/okirch/pcr-oracle), though I have not looked into it in depth yet. I will update this guide in the future when I have figured it out :)
- This is not proper verified boot. At best, it prevents someone from just replace your kernel/initramfs and compromise your system, but it will not provide any protection against malware persistence and so on.
- The TPM is fully trusted. An adversary will be able to decrypt your drive if they can get the internal state of the TPM, such as with the [FaulTPM](https://arxiv.org/pdf/2304.14717.pdf) vulnerability.
- This procedure will only work if you have at least 2 drives to setup mirroring.
## The Design
@ -18,3 +27,16 @@ There is currently no nice solution for unlocking native ZFS encryption with a T
To get the best of both worlds, we will set up a ZFS encryption partition with LUKS for Proxmox itself. After the system has booted, we will unlock and mount a second ZFS partition encrypted with native ZFS encryption using a key stored inside the ZFS partiton encrypted with LUKS. This way, we can get TPM unlock and use it to provide some basic tamper detection, while still allowing ZFS direct access to the disk for where the virtual machines are stored and achieve optimal performance.
UEFI Firmware -> Signed UKI --(TPM Unlock)--> PVE partition (ZFS on LUKS) -> VM storage (Native ZFS Encryption)
## Proxmox Installation
### Disable Secure Boot
Disable Secure Boot before installing Proxmox. By default, Proxmox installs with Grub, Shim, and MOKUtil etc if Secure Boot is enabled. It is just easier to not have to clean them up later.
### Select your RAID level
- Boot into the installation media. Select the filesystem as ZFS with a RAID level of your choice. I will be using ZFS Mirror for the rest of this guide.
- In advanced configuration, reduce the `hdsize`. Proxmox on its own only takes up about 5-6 GB of storage, and I do not intend to store anything else like ISO files on it, so I will set the size as 32GB (the extra space is to account for future updates).