]>
Commit | Line | Data |
---|---|---|
93e1d33e TL |
1 | [[storage_pbs]] |
2 | Proxmox Backup Server | |
3 | --------------------- | |
4 | ifdef::wiki[] | |
5 | :pve-toplevel: | |
6 | :title: Storage: Proxmox Backup Server | |
7 | endif::wiki[] | |
8 | ||
9 | Storage pool type: `pbs` | |
10 | ||
11 | This backend allows direct integration of a Proxmox Backup Server into {pve} | |
12 | like any other storage. | |
13 | A Proxmox Backup storage can be added directly through the {pve} API, CLI or | |
135789c0 | 14 | the web interface. |
93e1d33e TL |
15 | |
16 | Configuration | |
17 | ~~~~~~~~~~~~~ | |
18 | ||
19 | The backend supports all common storage properties, except the shared flag, | |
20 | which is always set. Additionally, the following special properties to Proxmox | |
21 | Backup Server are available: | |
22 | ||
23 | server:: | |
24 | ||
25 | Server IP or DNS name. Required. | |
26 | ||
27 | username:: | |
28 | ||
29 | The username for the Proxmox Backup Server storage. Required. | |
30 | ||
31 | TIP: Do not forget to add the realm to the username. For example, `root@pam` or | |
32 | `archiver@pbs`. | |
33 | ||
34 | password:: | |
35 | ||
36 | The user password. The value will be saved in a file under | |
92192603 TL |
37 | `/etc/pve/priv/storage/<STORAGE-ID>.pw` with access restricted to the root |
38 | user. Required. | |
93e1d33e TL |
39 | |
40 | datastore:: | |
41 | ||
42 | The ID of the Proxmox Backup Server datastore to use. Required. | |
43 | ||
44 | fingerprint:: | |
45 | ||
46 | The fingerprint of the Proxmox Backup Server API TLS certificate. You can get | |
47 | it in the Servers Dashboard or using the `proxmox-backup-manager cert info` | |
48 | command. Required for self-signed certificates or any other one where the host | |
49 | does not trusts the servers CA. | |
50 | ||
51 | encryption-key:: | |
52 | ||
53 | A key to encrypt the backup data from the client side. Currently only | |
54 | non-password protected (no key derive function (kdf)) are supported. Will be | |
92192603 TL |
55 | saved in a file under `/etc/pve/priv/storage/<STORAGE-ID>.enc` with access |
56 | restricted to the root user. Use the magic value `autogen` to automatically | |
57 | generate a new one using `proxmox-backup-client key create --kdf none <path>`. | |
58 | Optional. | |
93e1d33e | 59 | |
8200df48 FG |
60 | master-pubkey:: |
61 | ||
62 | A public RSA key used to encrypt the backup encryption key as part of the | |
63 | backup task. The encrypted copy will be appended to the backup and stored on | |
64 | the Proxmox Backup Server instance for recovery purposes. | |
65 | Optional, requires `encryption-key`. | |
66 | ||
93e1d33e TL |
67 | .Configuration Example (`/etc/pve/storage.cfg`) |
68 | ---- | |
69 | pbs: backup | |
70 | datastore main | |
71 | server enya.proxmox.com | |
72 | content backup | |
73 | fingerprint 09:54:ef:..snip..:88:af:47:fe:4c:3b:cf:8b:26:88:0b:4e:3c:b2 | |
5c85b0a1 | 74 | prune-backups keep-all=1 |
93e1d33e TL |
75 | username archiver@pbs |
76 | ---- | |
77 | ||
78 | Storage Features | |
79 | ~~~~~~~~~~~~~~~~ | |
80 | ||
81 | Proxmox Backup Server only supports backups, they can be block-level or | |
82 | file-level based. {pve} uses block-level for virtual machines and file-level for | |
83 | container. | |
84 | ||
73d19b42 | 85 | .Storage features for backend `pbs` |
93e1d33e TL |
86 | [width="100%",cols="m,4*d",options="header"] |
87 | |=============================================================== | |
88 | |Content types |Image formats |Shared |Snapshots |Clones | |
89 | |backup |n/a |yes |n/a |n/a | |
90 | |=============================================================== | |
91 | ||
1658c673 FE |
92 | [[storage_pbs_encryption]] |
93 | Encryption | |
94 | ~~~~~~~~~~ | |
95 | ||
55ebc079 TL |
96 | [thumbnail="screenshot/storage-pbs-encryption-with-key.png"] |
97 | ||
1658c673 FE |
98 | Optionally, you can configure client-side encryption with AES-256 in GCM mode. |
99 | Encryption can be configured either via the web interface, or on the CLI with | |
100 | the `encryption-key` option (see above). The key will be saved in the file | |
101 | `/etc/pve/priv/storage/<STORAGE-ID>.enc`, which is only accessible by the root | |
102 | user. | |
103 | ||
104 | WARNING: Without their key, backups will be inaccessible. Thus, you should | |
105 | keep keys ordered and in a place that is separate from the contents being | |
106 | backed up. It can happen, for example, that you back up an entire system, using | |
107 | a key on that system. If the system then becomes inaccessible for any reason | |
108 | and needs to be restored, this will not be possible as the encryption key will be | |
109 | lost along with the broken system. | |
110 | ||
f1edca2e | 111 | It is recommended that you keep your key safe, but easily accessible, in |
1658c673 FE |
112 | order for quick disaster recovery. For this reason, the best place to store it |
113 | is in your password manager, where it is immediately recoverable. As a backup to | |
114 | this, you should also save the key to a USB drive and store that in a secure | |
115 | place. This way, it is detached from any system, but is still easy to recover | |
116 | from, in case of emergency. Finally, in preparation for the worst case scenario, | |
f1edca2e FE |
117 | you should also consider keeping a paper copy of your key locked away in a safe |
118 | place. The `paperkey` subcommand can be used to create a QR encoded version of | |
119 | your key. The following command sends the output of the `paperkey` command to | |
120 | a text file, for easy printing. | |
1658c673 FE |
121 | |
122 | ---- | |
f1edca2e | 123 | # proxmox-backup-client key paperkey /etc/pve/priv/storage/<STORAGE-ID>.enc --output-format text > qrkey.txt |
1658c673 FE |
124 | ---- |
125 | ||
8200df48 FG |
126 | Additionally, it is possible to use a single RSA master key pair for key |
127 | recovery purposes: configure all clients doing encrypted backups to use a | |
128 | single public master key, and all subsequent encrypted backups will contain a | |
129 | RSA-encrypted copy of the used AES encryption key. The corresponding private | |
130 | master key allows recovering the AES key and decrypting the backup even if the | |
131 | client system is no longer available. | |
132 | ||
133 | WARNING: The same safe-keeping rules apply to the master key pair as to the | |
134 | regular encryption keys. Without a copy of the private key recovery is not | |
135 | possible! The `paperkey` command supports generating paper copies of private | |
136 | master keys for storage in a safe, physical location. | |
137 | ||
1658c673 FE |
138 | Because the encryption is managed on the client side, you can use the same |
139 | datastore on the server for unencrypted backups and encrypted backups, even | |
140 | if they are encrypted with different keys. However, deduplication between | |
141 | backups with different keys is not possible, so it is often better to create | |
142 | separate datastores. | |
143 | ||
144 | NOTE: Do not use encryption if there is no benefit from it, for example, when | |
145 | you are running the server locally in a trusted network. It is always easier to | |
146 | recover from unencrypted backups. | |
147 | ||
2309c050 TL |
148 | Example: Add Storage over CLI |
149 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
93e1d33e TL |
150 | |
151 | // TODO: FIXME: add once available | |
152 | //You can get a list of exported CIFS shares with: | |
153 | // | |
154 | //---- | |
155 | //# pvesm scan pbs <server> [--username <username>] [--password] | |
156 | //---- | |
157 | ||
158 | Then you could add this share as a storage to the whole {pve} cluster | |
159 | with: | |
160 | ||
161 | ---- | |
162 | # pvesm add pbs <id> --server <server> --datastore <datastore> --username <username> --fingerprint 00:B4:... --password | |
163 | ---- | |
164 | ||
165 | ifdef::wiki[] | |
166 | ||
167 | See Also | |
168 | ~~~~~~~~ | |
169 | ||
170 | * link:/wiki/Storage[Storage] | |
171 | ||
172 | endif::wiki[] |