Background: I’d like to turn an old personal laptop into a Jellyfin server so that I can stream media to my living room TV. I want to be able to expand what I use this server for over time. I’m leaning toward Proxmox as the OS so that I can spin up new containers for various services instead of installing a bunch of services on a base Debian install. I also want full disk encryption so that any data on the OS drive is less likely to be compromised by theft or Craigslist.

Question #1: I gather the general accepted approach for this is to first install Debian as a base w/ full disk encryption enabled and then install Proxmox on top because there is no option for full disk encryption in the native installer for Proxmox. Is this still the case?

Excerpt from this tutorial from November 2023 on the Proxmox Forum:

This tutorial deals with encryption of an existing installation. If you are starting fresh, my recommendation would be to install Debian with full disk encryption and then add Proxmox to it.

Excerpt from this post from February 2019 on the Level1Techs Forum:

The easiest way to do an encrypted Proxmox setup is to start with a minimal, vanilla Debian install. Set up the encrypted partition using the installer like you would with any other Debian system. Once installed, reboot. Then follow the guide for installing Proxmox on Debian.

Question #2: I don’t mind entering the key manually whenever I reboot the server, but will I be able to unlock the server remotely? For example, suppose I’m tinkering in the web admin panel or an SSH session and I want/need to reboot—will I have to physically go over to the laptop and enter the key every time?

Also, I appreciate any other tips from the community to help me think about this in the right way. Thanks!

  • tvcvt@lemmy.ml
    link
    fedilink
    English
    arrow-up
    10
    ·
    5 months ago

    Another idea for you: if you use ZFS for the install, check Debian directions on OpenZFS or zfsbootmenu and you’ll get directions for an encrypted installation. You’ll be able to specify the path to a key file, which you can keep on a thumb drive. When the machine boots up, it’ll see the thumb drive and decrypt the zpool automatically; yank the thumb drive and it won’t (backup the key of course).

  • ryokimball@infosec.pub
    link
    fedilink
    English
    arrow-up
    6
    ·
    5 months ago

    I think when people want to remotely decrypt fde the usual advice is installing dropbear SSH to remotely enter the password. Sorry for not providing links but it should be easy to find.

  • jjffnn@feddit.dk
    link
    fedilink
    English
    arrow-up
    5
    ·
    4 months ago

    I have a luks encrypted proxmox machine.
    And the easiest way i found to do it was to install debian with full disk encryption and then doing some magic to swap the kernel from debian to proxmox.
    Or that’s what i think i did at least. I’m no linux magician, i just use it.
    On another server i use dropbear to unlock LUKS over ssh. Those two things should be easy to combine.
    I took meticulous notes, so i should be able to give you some direction to go if you need some help and can’t find a decent guide out there.

    • barnaclebill@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      4 months ago

      You swapped the kernel? I guess I’ll find out soon enough when I attempt my setup, but as I gather up the motivation to dive in, I’m assuming it will be as simple as installing a proxmox package or something. I guess I should re-read the guides. 🤣

      That would be dope if you wouldn’t mind sharing your notes. There’s a decent amount of documentation out there already, but I often find it extremely valuable to read different people’s perspectives from real life experience in addition to the official guides. No pressure. Either way, thanks for chiming in!

      • jjffnn@feddit.dk
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 months ago

        It took some time as i had to find a moment to translate my notes.
        I did my best with formatting but for some reason new paragraphs aren’t a thing i can get working in an untiered list in a lemmy comment 🤷
        I presume some basic knowledge of linux and how to install an OS on a machine, but i’ve tried to add every single step with commands.
        If anybody knows an easier way or have any comments regarding this, feel free to educate me.

        Here is the way i installed it:

        Switching the kernel:

        • Install default debian bookworm without desktop environment, but with “standard systems utilities” and “ssh server”
          • Don’t forget to LUKS it, or else you could have just used the proxmox iso 😉
          • SSH server could probably be omitted if everything is done directly on the machine, but i wanted it so i could copy/paste commands
        • Boot and log in as root
        • Check /etc/hosts and change the ip in front of the hostname to the static ip of the machine
        • Check with hostname --ip-address, it should return the ip-address
        • Add proxmox repo with echo "deb [arch=amd64] http://download.proxmox.com/debian/pve bookworm pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list
        • Add proxmox key with wget https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg
        • Run apt update && apt full-upgrade
        • Install proxmox kernel with apt install proxmox-default-kernel
        • Restart with systemctl reboot
        • NOTE: The machine will boot and get stuck on loading initial ramdisk, type in the LUKS key and press enter despite not getting a prompt

        Installing the packages

        • Install Proxmox packages with apt install proxmox-ve postfix open-iscsi chrony
          • Postfix needs to be configured, if no mailserver choose local only and let system name stay as default
        • Remove debian kernel with apt remove linux-image-amd64 'linux-image-6.1
        • Update and check grub config with update-grub
          • Seems redundant, because i think it does this by it self when running the command above
        • If proxmox is the only OS, remove os-proper with apt remove os-prober
          • This gave me an error about it not being empty, but it fixed itselv after a reboot
        • I think a reboot is needed here, but i honestly don’t remember. If in doubt run systemctl reboot


        Adding SSH access for root user
        It’s easier to copy/paste commands, this requires SSH access to the server
        This can be done at any point. I did it as soon as i installed debian, and then removed it as i booted into proxmox

        • Edit /etc/ssh/sshd_config with nano /etc/ssh/sshd_config
        • Around line 32 find #PermitRootLogin without-password and make en new line below it and write PermitRootLogin yes.
          • The commented line can be edited but i find it easier to add the line as it needs to be removed again later
        • Restart the SSH server with /etc/init.d/ssh restart
        • When done with copy/pasting the commands it’s better to remove root SSH access again, this is done by removing the line that was added above

        Removing debian user
        This removes the user that was made as part of installing debian. It can probably be used, but i found it better to add all needed users once i got in to proxmox instead the [username] of course needs to be changed out for the username you used when you installed debian.

        • Log in to the terminal as root
        • Find the list of users with grep ‘users’ /etc/group
        • Use deluser [username] to remove the user
  • monkeyman512@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    1
    ·
    5 months ago

    Any reason you need to encrypt the host OS information? I would assume anything interesting would be in the VM and you could probably have the VM encrypt it’s own storage.

  • glizzyguzzler@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    4 months ago

    Since you’re not using proxmox as an OS install, why not check out Incus? It accomplishes the same goals as proxmox but is easier to use (for me at least). Make sure you install incus’ web ui, makes it ez pz. Incus does the VMs and containers just like proxmox but isn’t focused on clustering 1st but rather machine 1st. It does do clustering, but the default UI is set for your machine to start so it makes more sense to me. The forums are very useful and questions get answered quickly, and there’s an Ubuntu-only fork called LXD which expands the available pool of answers. (For now, almost all commands are the same between Incus and LXD). I run the incus stable release from the Zabbly package repo, I think the long term release doesn’t have the web ui yet (I could be wrong). Never have had a problem. When Debian 13 hits I’ll switch to whatever is included there and should be set.

    https://linuxcontainers.org/incus/docs/main/installing/#installing-from-package

    I use incus for VMs and LXC containers. I also have Docker on the Debian system. Many types of containers for every purpose!

    I installed incus on a Debian system that I encrypted with LUKS. It unlocks after reboots with a USB drive, basically I use it like a yubikey but you could leave it in so the system always reboots no problem. There’s also a network unlock too but I didn’t try to figure that out. Without USB drive or network, you’ll have to enter the encryption key on every reboot.

    • MangoPenguin@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 months ago

      This looks interesting, how do you handle automated backups of all the VMs/Containers? Their docs kind of seem to say “stop everything and figure it out”, but with Proxmox I’m used to it handling everything automatically to my PBS server every night.

      • glizzyguzzler@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        4 months ago

        https://linuxcontainers.org/incus/docs/main/howto/instances_backup/#instances-snapshots

        This describes the jist, it’s all about snapshots! Incus loves BTRFS/ZFS.

        There’s no true need for stop everything as far as I can tell.

        Stop everything is applicable for databases for any backup system (snapshot avoids backing up a database mid write (guaranteed failure) but the snapshot could be during a live database multi-step operation and while intact is left in a cursed state). For databases I make sure to stop and backup (SQLite losers) or backup live (Gods’ chosen Postgres) specially so no very niche database failures occur even though it was done with instant/write-safe snapshots!!

        Recovery plan is restore snapshot and if 0.1% chance of database bad bc was mid big multiple step operation then I have the .gz to restore from.

        • MangoPenguin@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 months ago

          That’s what proxmox has too, but snapshots aren’t backups and aren’t being sent to a remote backup server… You’re also not supposed to keep snapshots around for very long, whereas I have backups going back several months.

          Or are you sending snapshots to a remote server? I think ZFS can do that, so maybe that’s an option I can look at.

          • glizzyguzzler@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            1
            ·
            4 months ago

            https://linuxcontainers.org/incus/docs/main/howto/instances_backup/#instances-backup-export

            A bit down from the snapshots section is the export section, what I do is I export to a place then back it up with Restic. I do not compress on export and instead do it myself with the —rsyncable flag added to zstd. (Flag applies to gzip too) With the rsyncable flag incremental backups work on the zip file so it’s space efficient despite being compressed. I don’t worry about collating individual zip files, instead I rely on Restic’s built-in versioning to get a specific version of the VM/container if I needed it.

            Also a few of my containers I linked the real file system (big ole data drive) into the container and just snapshot the big ole data drive/send said snapshot using the BTRFS/ZFS methods cause that seemed easier, those containers are easy enough to stand up on a whim and then just need said data hooked up.

            I also restic the sent snapshot since snapshots are write-static and restic can read from it at its leisure. Restic is the final backup orchestrator for all of my data. One restic call == one “restic snapshot” so I call it monolithically with one call covering several data sources.

            Hope that helps!

            • MangoPenguin@lemmy.blahaj.zone
              link
              fedilink
              English
              arrow-up
              1
              ·
              4 months ago

              Is it all automated with versioning intervals and stuff? Or is restic required as a third party step and maintaining a duplicate of data on the server for it to grab?

              Overall it sounds like a decent VM manager but is meant for enterprise stuff where they’ll be building their own backup systems.

              • glizzyguzzler@lemmy.blahaj.zone
                link
                fedilink
                English
                arrow-up
                2
                ·
                4 months ago

                So extra background, I was put off by proxmox’s weird steps to get ISO’s onto the system via USB so I was like “I am not touching the backup stuff” and just rolled my own (I treat the VMs/containers on my proxmox server like individual servers and back them up accordingly and do not back up the underlying proxmox instance itself).

                I see proxmox has a similar pruning setting to Restic, and it exports the files like incus. So I’d say yes, proxmox is one-stop-shop for backup while with incus you have to put its container export options and restic together and put that in a cron job.

                Still hard to say what I’d definitively tell a newbie to go with. I found (and still find) the proxmox ui daunting and difficult while the incus UI makes much more sense to me and is easier (has an ISO pulling system built in for instance. But as you’ve pointed out - proxmox gives you an easy way to have robust backups that takes much more effort on the incus side.

                As backups are paramount, proxmox for a total newbie. If someone is familiar with scripting, then incus - because it needs scripted backups to be as robust as proxmox’ backups. @barnaclebill@lemmy.dbzer0.com this conclusion should help you choose proxmox (most likely)!

                • MangoPenguin@lemmy.blahaj.zone
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  edit-2
                  4 months ago

                  It’s interesting because you’re not the first person to complain about getting ISOs in Proxmox, but on my instance if I click on my local storage it has an upload ISO button, and a download ISO from URL button right there, so it’s really simple.

                  It can also mount network storage with existing ISOs and just pull from that.

                  I don’t use ISOs very often though, either a Debian 12 container template, or a custom Debian 12 cloud-init VM I made and backed up, so I can just hit restore and it gives me a fresh VM with new networking config and everything through cloud-init automatically.

    • barnaclebill@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 months ago

      I was wondering if anyone would bring up Incus. I’m still pretty new to all this. From what I can tell, there seems to be a larger community around Proxmox, but I’ve seen enough mentions of Incus to pique my curiosity. I’ll have to explore this some more. Thanks for mentioning it.

      • glizzyguzzler@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        4 months ago

        There is a larger community. I have proxmox and incus on two devices and for the basics (LXC container/VM) Incus is way more straight forward. Ditchin proxmox next reinstall on the other device (that proxmox install is the OS version). If you’re doing regular stuff it’s easy enough even with the reduced community! They’ve covered the basics well.

        But again, proxmox community is larger. I started with it for that reason too.

  • jj4211@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    4 months ago

    You can use one of a few ways to use the TPM to auto decrypt on boot without passphrase. Systemd cryptenroll is my favorite.

  • pineapple@lemmy.ml
    link
    fedilink
    English
    arrow-up
    2
    ·
    4 months ago

    If you want to set-up disk encryption you should probably understand that while the server is booted up as far as I know there will be no disk encryption leaving it completely available for anyone to take data from

    Although most people entering your house would probably unplug the laptop and open it at there own home the data could still be valuable if it stays powered up with battery power.

    • barnaclebill@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      4 months ago

      Good point, thanks for clarifying that. I suppose the theft scenario is iffy, but it’ll still help in case I ever sell (or junk) the disk.

  • terminhell@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    4
    ·
    edit-2
    4 months ago

    I don’t understand why you’d install Debian before the hypervisor.

    Edit: TiL thx for the replies. I legit didn’t know of these scenarios.

    • deafboy@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      4 months ago

      Proxmox is based on Debian, but its installer does not offer you as many options as the base Debian installer. People figured out you can just install debian with your prefered settings and then just slap the proxmox packages on top.

    • jj4211@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      4 months ago

      Because it says to do so?

      Proxmox uses Debian as the OS and for several scenarios it says do Debian to get that done and just add the proxmox software. It’s managing qemu kvm on a deb managed kernel

    • sj_zero@lotide.fbxl.net
      link
      fedilink
      arrow-up
      1
      ·
      4 months ago

      I had to do it for my atom d2550s because of the odd hybrid x86/x86-64 systems they are. I had to install what ended up being linux mint debian edition 5 because that was the best way to get an OS on the odd bootloader system for various reasons, then upgraded to 6 to get to the latest debian, then I installed proxmox and removed all the debian stuff.

      What do I do with something as weak as a pair of D2550s? Don’t you worry about that. I’ve found uses for both. :P

      It’s an unusual use case, but it’s one reason you might need to install debian before proxmox.