Deploying a VM
Arrow Manager allows you to deploy virtual machines directly onto your Arrow device using pre-built templates. This guide walks through every step required to get a VM running.
Prerequisites
Section titled “Prerequisites”Before deploying a VM, ensure:
- You are logged into Arrow Manager
- Proxmox credentials are configured (via Manage Credential button)
- At least one VM template is installed
Step 1: Set Up Encrypted Storage
Section titled “Step 1: Set Up Encrypted Storage”Encrypted storage uses LUKS encryption to securely store your deployed VMs. To set it up:
- Click Setup Encryption on the Proxmox page
- Enter a strong encryption key or passphrase
- Click Create Encrypted Storage
The system will create a LUKS-encrypted partition and mount it automatically. A Proxmox storage location called “encrypted” is configured for you.
Remember Your Key
Your encryption key is not saved on the system. You will need to re-enter it after every system reboot to unlock your VM storage. If you forget the key, you will need to wipe the encrypted storage and start over.
After a Reboot
Section titled “After a Reboot”If the device has been rebooted, you will see an Encrypted Storage Not Mounted alert. Click Enter Encryption Key, provide your key, and click Unlock to remount the storage and regain access to your VMs.
Step 2: Install a Template
Section titled “Step 2: Install a Template”If you haven’t already installed a template:
- Find the template you want in the template list
- Click Install to download it to your device
- Wait for the download to complete
Templates are stored on unencrypted storage and do not require the encrypted partition. You can install and update templates at any time.
Step 3: Deploy the VM
Section titled “Step 3: Deploy the VM”Click Deploy on an installed template to open the deployment configuration dialog. You will need to configure four sections before deployment can begin.
Authentication
Section titled “Authentication”Set the passwords that will be configured on the VM:
| Field | Required | Description |
|---|---|---|
| Root Password | Yes | Root account password (minimum 8 characters) |
| Confirm Root Password | Yes | Must match the root password |
| Arrow User Password | Yes | Password for the arrow user account (minimum 8 characters) |
| Confirm Arrow User Password | Yes | Must match the arrow user password |
| SSH Public Key | No | Optional SSH public key for key-based authentication (ssh-rsa, ssh-ed25519, etc.) |
Configure the VM’s VPN connection for remote management:
| Field | Required | Description |
|---|---|---|
| NetBird Setup Key | Yes | Setup key from your NetBird dashboard to register the VM on your VPN network |
| NetBird Device Name | Auto | Automatically generated based on your device hostname and OS. Can be customized. |
| Enable Arrow Control | No | Toggle to provision an Arrow Control license for the VM (enabled by default) |
The NetBird setup key connects your new VM to your organization’s VPN network, making it remotely accessible.
Network
Section titled “Network”Configure how the VM connects to the local network:
| Field | Required | Description |
|---|---|---|
| MAC Address | Auto | Auto-generated from the host adapter. Can be manually changed if needed. |
| Use Static IP | No | Toggle between DHCP (default) and static IP configuration |
When Use Static IP is enabled, additional fields appear:
| Field | Required | Description |
|---|---|---|
| IP Address | Yes | Static IP address for the VM |
| Subnet Mask | Yes | Supports CIDR notation (/24) or decimal (255.255.255.0) |
| Gateway | Yes | Network gateway address |
| Primary DNS | Yes | Primary DNS server |
| Secondary DNS | No | Optional fallback DNS server |
If you leave Use Static IP disabled, the VM will use DHCP to obtain its network configuration automatically.
Resources
Section titled “Resources”Allocate hardware resources for the VM:
| Field | Default | Description |
|---|---|---|
| Disk Size (GB) | Template minimum | Size of the VM disk. Cannot be smaller than the template’s disk size. Maximum 2000 GB. |
| CPU Cores | Host cores - 1 | Number of CPU cores allocated to the VM |
| Memory (GB) | Host memory - 2 GB | Amount of RAM allocated to the VM |
Resource defaults are calculated based on your device’s hardware, leaving headroom for the host system to operate.
Step 4: Confirm and Deploy
Section titled “Step 4: Confirm and Deploy”After filling in all four sections, click Deploy to start the VM creation process. Arrow Manager will:
- Validate all your configuration settings
- Allocate a VM ID on Proxmox
- Clone the template with your resource settings
- Apply cloud-init configuration (passwords, network, VPN)
- Start the VM
You can monitor the deployment progress in real time. Once complete, the VM will appear in your VM list and begin booting.
Deployment Checklist
Section titled “Deployment Checklist”Use this checklist to ensure everything is ready before deploying:
| Requirement | Status |
|---|---|
| Logged into Arrow Manager | |
| Proxmox credentials configured | |
| Encrypted storage set up and mounted | |
| Template installed | |
| Root and arrow user passwords chosen | |
| NetBird setup key obtained | |
| Network configuration decided (DHCP or static) | |
| Resource allocation reviewed |
Troubleshooting
Section titled “Troubleshooting””Encrypted storage is not mounted”
Section titled “”Encrypted storage is not mounted””You need to set up or unlock encrypted storage before deploying. See Step 1.
Deploy button is disabled
Section titled “Deploy button is disabled”The Deploy button is disabled when:
- Encrypted storage is not mounted
- A template is currently being installed
- Proxmox credentials are not configured
VM fails to get network connectivity
Section titled “VM fails to get network connectivity”- If using static IP, verify the IP address, gateway, and DNS settings are correct for your network
- If using DHCP, ensure a DHCP server is available on the network
- Check that the MAC address is not conflicting with another device on the network
Forgot encryption key after reboot
Section titled “Forgot encryption key after reboot”If you cannot remember your encryption key, your only option is to wipe the encrypted storage and set it up again. This will delete all deployed VMs. Use the Wipe Storage button to reset.
Wiping Encrypted Storage
Section titled “Wiping Encrypted Storage”When an engagement is complete or you need to reset the device, you can wipe the encrypted storage to permanently destroy all deployed VMs and their data.
When to Wipe
Section titled “When to Wipe”- After an engagement — securely erase all VMs and data when the job is done
- Forgot your encryption key — if you cannot unlock the storage after a reboot, wiping is the only way to reset
- Free up disk space — remove the encrypted partition entirely
What Wipe Does
Section titled “What Wipe Does”Wiping encrypted storage is a permanent, irreversible operation. It will:
- Stop all running VMs
- Delete all VMs from Proxmox
- Remove the “encrypted” storage from Proxmox configuration
- Unmount the encrypted filesystem
- Close the LUKS encrypted device
- Wipe the LUKS header (making data unrecoverable)
- Delete the encrypted partition from disk
How to Wipe
Section titled “How to Wipe”- Navigate to the Proxmox page in Arrow Manager
- Click the Wipe Storage button (only enabled when encrypted storage exists)
- Review the warning dialog carefully
- If there are running VMs, you will see an additional warning that they will be stopped automatically
- Click Wipe Encrypted Storage to confirm
After the wipe completes, you can set up encryption again from scratch if needed by following Step 1.
Related Documentation
Section titled “Related Documentation”- Arrow Manager Overview - General Arrow Manager features
- VPN Management - NetBird VPN setup and configuration
- Troubleshooting - Common Arrow Manager issues