Server upgrade, and how to install ZFS with encryption on a Hetzner server
Just moved everything on this machine to a new physical server with proper SSD RAID and it’s all so damn much faster now, wheee!
Had little fun dealing with Hetzner’s support explaining that their IP KVM cable was flaky and causing issues with server video, so I couldn’t enter the damn decryption passphrase for 3 hours or so… Hopefully, it’s over now.
Notes to self: next time you move data, use pve-zsync – it ended up being the fastest and the most sane option.
Installing Proxmox on Hetzner with full-disk encryption and ZFS on a Hetzner server
I think I followed this tutorial for installing Proxmox itself from inside Hetzner’s rescue system and this one to reencrypt everything.
Then you have to ask Hetzner for a KVM and do all the usual network magic to put an OPNsense virtual machine in front of the real physical server.
Notes on Hetzner and MAC addresses
Another thing I hate about Hetzner: they force you to have your primary MAC address match the physical one on the server’s motherboard, even if you wish to use, say, OPNsense in a virtual machine facing the public Internet instead of the real thing. So you have to always do something like this:
auto enp0s31f6
iface enp0s31f6 inet manual
hwaddress 00:00:00:00:de:ad
auto vmbr0
iface vmbr0 inet manual
bridge-ports enp0s31f6
bridge-stp off
bridge-fd 0
bridge_maxwait 0
hwaddress 52:54:00:11:22:33
#OPNsense WAN
where 00:00:00:de:ad
and 52:54:00:11:22:33
are bogus MACs. And then they’ll happily send you an ‘abuse’ notification claiming that you violated their MAC policy… but at least it all would work.
Notes on ZFS encryption
So far, there is no good way to automate decryption of ZFS datasets, so that I won’t have to ask Hetzner to attach a physical KVM dongle to the server in order to just enter the passphrase. For LUKS there’s unlock-cryptroot but I’m not aware about anything like this existing for ZFS.
So the sequence is like this:
# zfs load-keys rpool/data
# zfs load-keys hddpool/data
### maybe I have missed something?