Proxmox VE Encryption Part 1: Different modes of encryption

Proxmox VE Encryption

Monday 10th November 2025

Own work. Feel free to use it.

Encryption alternatives in Proxmox

When it comes to encryption, there are different levels one could implement it on. All have benefits and disadvantages.

• Full disk encryption on the host Level

• Enable encryption on the ZFS pool Level

• Full disk encryption on Guest OS Level

Full Disk Encryption on host level

Pros

• Encrypts the entire system and all future VM’s at rest

• Theft proof

• You can unlock the Proxmox server from SSH

Cons

• Difficult to implement:

  • There is no option to encrypt the disks when installing Proxmox. You have to install Debian with encryption enabled and then install Proxmox.

  • What if you have multiple disks? will all disks be encrypted or just the root drive? It becomes very complex.

  • You need to reinstall the entire system to enable encryption.

• After a power outage the server won’t boot up automatically. And if the VM with the VPN server is located on that, you are unable to manually restart it outside your LAN.

Evaluation

Enabling Full Disk encryption is not worth the hassle on an existing Proxmox Server. Even on a new server it is questionable. The only advantage Full Disk Encryption has over ZFS Pool Encryption is that the Proxmox configuration gets encrypted, but that is not necessarily sensitive information.

ZFS Pool Encryption

Pros

• Encrypts pools and datasets, making the VM disks theft proof

• Unlocks with a passphrase or a keyfile after reboot

• Easier to implement than full disk encryption on the host level

• Can be combined with Full disk encryption on the OS level.

Cons

• Pools and Datasets have to be unlocked after a power outage

• You need to migrate existing unencrypted datasets to an encrypted one.

• Proxmox configuration will not be encrypted

• It may be theft proof, but administrators can still read the content of the Guest OS disks.

Evaluation

Easier to implement than Full disk encryption. Less complex and straight forward. Unlocking can be automated, however, you need an HSM infrastructure for that.

Example of HSM solution: https://www.yubico.com/products/hardware-security-module/

Full disk encryption on Guest OS level

Pros

• Easiest to implement

• Makes the VM secure in event of the proxmox server getting compromised.

Cons

• You need to unlock each VM after a reboot. If you are hosting services, customers are responsible to unlock the volumes after a reboot.

• You need to reinstall your VM’s with encryption turned on in the beginning of the installation.

• Encryption keys can get leaked into RAM or snapshots

Evaluation

• Full disk encryption on OS level is not giving much extra safety. A sophisticated hacker can get around it. However, if you combine it with dataset encryption, it get’s a very robust security.

Conclusion

Dataset encryption combined with Encryption on the Guest OS is a good balance between Security, automation possibilities and convenience. However, it takes some effort to set it up. A bare minimum would be to encrypt the Storage Pools containing VM’s and containers.

For easy management of cryptographic keys, you need some kind of an HSM infrastructure. However, that is costly and can be complex to set it up. But may be worth it in the long run.

In the next part I’m going to demonstrate how to enable ZFS encryption on a ZFS storage pool.