PrivSec-dev/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2025-02-20 18:31:35 -05:00
Code
2547d65533
privsec.dev/content/posts/linux/Using TPM Unlock with Proxmox Encryption.md
Tommy 2547d65533
Partitioning
2024-02-01 01:14:19 -07:00

3.0 KiB
Raw Blame History

title date tags author
Using TPM unlock with Proxmox Encryption 2024-02-01
Operating Systems
Linux
Security
Tommy

Using TPM unlock with Proxmox Encryption

Currently, the Proxmox installer does not support setting up encryption with ZFS. Previously, I have written on how to setup Proxmox with native ZFS encryption and remote unlock with Dropbear. Today, I will guide you through the process of setting it up with TPM unlock and Secure Boot.

By the end of this guide, you will have:

  • Secure Boot setup with your custom key and Unified Kernel Image
  • Autheticated Drive Encryption (AEAD)
  • Automatic unlock and some tamper detection with the TPM

Limitations:

  • No rollback protection. This could theoratically be solved with PCR Oracle, though I have not looked into it in depth yet. I will update this guide in the future when I have figured it out :)
  • This is not proper verified boot. At best, it prevents someone from just replace your kernel/initramfs and compromise your system, but it will not provide any protection against malware persistence and so on.
  • The TPM is fully trusted. An adversary will be able to decrypt your drive if they can get the internal state of the TPM, such as with the FaulTPM vulnerability.
  • This procedure will only work if you have at least 2 drives to setup mirroring.

The Design

There is currently no nice solution for unlocking native ZFS encryption with a TPM. While theoratically possible, the tooling for it does not exist as of this writing, to my knowledge. ZFS on LUKS will work with TPM unlock (via systemd-cryptenroll), but is suboptimal as ZFS will not get direct access to the disk.

To get the best of both worlds, we will set up a ZFS encryption partition with LUKS for Proxmox itself. After the system has booted, we will unlock and mount a second ZFS partition encrypted with native ZFS encryption using a key stored inside the ZFS partiton encrypted with LUKS. This way, we can get TPM unlock and use it to provide some basic tamper detection, while still allowing ZFS direct access to the disk for where the virtual machines are stored and achieve optimal performance.

UEFI Firmware -> Signed UKI --(TPM Unlock)--> PVE partition (ZFS on LUKS) -> VM storage (Native ZFS Encryption)

Proxmox Installation

Disable Secure Boot

Disable Secure Boot before installing Proxmox. By default, Proxmox installs with Grub, Shim, and MOKUtil etc if Secure Boot is enabled. It is just easier to not have to clean them up later.

Select your RAID level

  • Boot into the installation media. Select the filesystem as ZFS with a RAID level of your choice. I will be using ZFS Mirror for the rest of this guide.

  • In advanced configuration, reduce the hdsize. Proxmox on its own only takes up about 5-6 GB of storage, and I do not intend to store anything else like ISO files on it, so I will set the size as 32GB (the extra space is to account for future updates).