Disk Encryption Support

[vtrenton]

Is your feature request related to a problem? Please describe.

With security being critical within datacenter infrastructure having encrypted volumes adds an additional layer of protection of data loss in the case of theft or pre-boot attacks.

Describe the solution you'd like

I would be nice to have the option to enable LUKS encryption of the root volume during installation.

[KyleSanderson]

Any update on this?

[MaxRenaud]

This is a blocker for us to use Harvester on some projects as well.

[innobead]

Duplicated. Let's track https://github.com/harvester/harvester/issues/3129 instead.

[tserong]

@innobead my read of this issue is that it's for encryption of the host disk(s), whereas #3129 is for encryption of VM volumes

[KyleSanderson]

@innobead boo.

[MaxRenaud]

@tserong this is also my understanding. Due to policy reasons, I am unable to install Harvester on a bare metal node without full-disk encryption.

@innobead If this isn't something Harvester can/want to support, that's 100% fine. I want to make sure we're not closing something as a duplicate when it's not.

Can you either reopen this issue or remove the duplicate tag and be explicit that full-disk encryption on bare metal isn't considered?

[innobead]

Thanks for clarifying the context, as this was mistakenly regarded as the volume encryption feature.

[johanot]

It's somewhat straight forward to add a an optional LUKS envelope at install time. However, any thoughts on which key providers to support at boot time then? Anyone?

The initial implementation could be just "interactive passphrase on the console". But... In that case, it doesn't become usable for me before I also have network+ssh in initrd - since Hetzner don't provide console access by default.

[MaxRenaud]

For us, we'd be looking at having a hardware TPM handle key managment otherwise it doesn't scale.