Create a ZFS encrypted dataset in Proxmox

README.md

Create a ZFS encrypted dataset in Proxmox

Create encrypted dataset:

zfs create rpool/safe -o encryption=on -o keyformat=passphrase

All children datasets of an encrypted dataset are also encrypted by default:

zfs create rpool/safe/backups

If you use this encrypted dataset as storage in Proxmox (e.g vzdump, images), you must unlock after boot (via SSH):

zfs load-key rpool/safe
zfs mount rpool/safe # you may need this if it's not automatically mounted

If you don't, you may create files on the mountpoint directory and leak data (e.g automatic VM backups).

Option 1: PVE storage options (recommended for dir-type storage)

When adding directory-type storage, configure PVE to not create directories on unmounted paths:

pvesm add dir safe-backups --path /rpool/safe/backups --content backup,iso,vztmpl
pvesm set safe-backups --create-base-path 0 --create-subdirs 0 --is_mountpoint 1

• --create-base-path 0 — don't create the base path if missing
• --create-subdirs 0 — don't create subdirs (dump, template, etc.)
• --is_mountpoint 1 — only use storage if something is mounted there

Note: If you already have leftover directories from before setting these options, remove them while the dataset is unmounted:

rm -rf /rpool/safe/backups/*

Option 2: chattr fallback (for extra protection or non-dir storage)

To prevent Proxmox from creating files on an unmounted ZFS dataset run:

## RUN THESE COMMANDS ONCE AND WHEN THE ZFS DATASET IS NOT UNLOCKED/MOUNTED !!!
chmod a-w -R /rpool/safe
chattr +i -R /rpool/safe

Also do it every reboot: crontab -e

@reboot d=/rpool/safe; chmod a-w -R $d; chattr +i -R $d