|
| 1 | +# Encrypting VMs |
| 2 | + |
| 3 | +XCP-ng doesn't have built-in encryption for VMs or storage repositories (SRs), but you can still protect your data with a couple of effective workarounds. |
| 4 | + |
| 5 | +This guide covers two common methods: encrypting data inside the VM and using encrypted shared storage (SRs). |
| 6 | + |
| 7 | +:::warning |
| 8 | + |
| 9 | +- These are just suggestions. The methods below are not officially supported by XCP-ng. |
| 10 | +- This guide focuses on VM encryption and doesn't cover [dom0](../appendix/glossary.md) encryption. |
| 11 | + |
| 12 | +::: |
| 13 | + |
| 14 | +## Encrypting inside the VM |
| 15 | + |
| 16 | +The easiest and most flexible way to secure your VM's data is by enabling encryption directly within the operating system. |
| 17 | + |
| 18 | +### Full disk encryption during Debian installation |
| 19 | + |
| 20 | +If you want to encrypt the entire VM filesystem, the simplest approach is to enable encryption during OS installation. For instance, the Debian installer lets you set up LUKS-based full disk encryption. This has to be done during installation since encryption requires reformatting the whole disk. |
| 21 | + |
| 22 | +Check out the [official Debian documentation](https://www.debian.org/releases/trixie/amd64/ch06s03.en.html#di-partition) for step-by-step instructions. |
| 23 | + |
| 24 | +### Encrypting additional volumes |
| 25 | + |
| 26 | +You can also encrypt specific volumes inside the VM if you don't need full disk encryption. |
| 27 | + |
| 28 | +For Linux VMs, here are two popular tools: |
| 29 | + |
| 30 | +- **LUKS (Linux Unified Key Setup):** Encrypts entire partitions or logical volumes. Learn more from the [cryptsetup repository](https://gitlab.com/cryptsetup/cryptsetup). |
| 31 | +- **eCryptfs:** Encrypts individual directories (e.g., home directories). |
| 32 | + |
| 33 | +### Example: Setting up LUKS encryption in Debian |
| 34 | + |
| 35 | +1. Install the required package: |
| 36 | + |
| 37 | + ```bash |
| 38 | + sudo apt-get update && sudo apt-get install cryptsetup |
| 39 | + ``` |
| 40 | + |
| 41 | +2. Prepare the partition: |
| 42 | + |
| 43 | + ```bash |
| 44 | + sudo cryptsetup luksFormat /dev/sdX |
| 45 | + sudo cryptsetup open /dev/sdX encrypted_volume |
| 46 | + ``` |
| 47 | + |
| 48 | +3. Create a filesystem and mount the encrypted volume: |
| 49 | + |
| 50 | + ```bash |
| 51 | + sudo mkfs.ext4 /dev/mapper/encrypted_volume |
| 52 | + sudo mount /dev/mapper/encrypted_volume /mnt |
| 53 | + ``` |
| 54 | + |
| 55 | +## Encrypting a shared storage repository |
| 56 | + |
| 57 | +If you want to protect data across multiple hosts, consider using an encrypted storage repository (SR) for your VM disks. A popular option for this is TrueNAS, which can manage and encrypt SRs. |
| 58 | + |
| 59 | +For detailed instructions, refer to the TrueNAS guide on [storage encryption](https://www.truenas.com/docs/core/13.0/coretutorials/storage/pools/storageencryption/). |
| 60 | + |
| 61 | +## Things to keep in mind |
| 62 | + |
| 63 | +- **Encryption inside the VM** is the easiest and most flexible option. It works regardless of your storage setup and lets you choose the encryption method you prefer. However, this only protects data inside the VM. Your hypervisor and storage layer stay unencrypted. |
| 64 | +- **Encrypted storage repositories** secure data at the storage level, protecting all virtual disks in the SR. This is useful if you want to safeguard data across multiple VMs or hosts. Just be aware that it may affect performance and requires compatible storage hardware. |
| 65 | +- **Full disk encryption** has to be set up during OS installation—you can't add it later to an existing VM. |
| 66 | +- Neither method is natively supported by Xen Orchestra or XCP-ng, so you'll need to manage encryption keys and access control on your own. |
0 commit comments