This backend allows direct integration of a Proxmox Backup Server into {pve}
like any other storage.
A Proxmox Backup storage can be added directly through the {pve} API, CLI or
-the webinterface.
+the web interface.
Configuration
~~~~~~~~~~~~~
Server IP or DNS name. Required.
+port::
+
+Use this port instead of the default one, i.e. `8007`. Optional.
+
username::
The username for the Proxmox Backup Server storage. Required.
password::
The user password. The value will be saved in a file under
-`/etc/pve/priv/<STORAGE-ID>.pw` with access restricted to the root user.
-Required.
+`/etc/pve/priv/storage/<STORAGE-ID>.pw` with access restricted to the root
+user. Required.
datastore::
A key to encrypt the backup data from the client side. Currently only
non-password protected (no key derive function (kdf)) are supported. Will be
-saved in a file under `/etc/pve/priv/<STORAGE-ID>.enc` with access restricted
-to the root user. Use the magic value `autogen` to automatically generate a
-new one using `proxmox-backup-client key create --kdf none <path>`. Optional.
+saved in a file under `/etc/pve/priv/storage/<STORAGE-ID>.enc` with access
+restricted to the root user. Use the magic value `autogen` to automatically
+generate a new one using `proxmox-backup-client key create --kdf none <path>`.
+Optional.
+
+master-pubkey::
+
+A public RSA key used to encrypt the backup encryption key as part of the
+backup task. Will be saved in a file under
+`/etc/pve/priv/storage/<STORAGE-ID>.master.pem` with access restricted to the
+root user.
+The encrypted copy of the backup encryption key will be appended to each backup
+and stored on the Proxmox Backup Server instance for recovery purposes.
+Optional, requires `encryption-key`.
.Configuration Example (`/etc/pve/storage.cfg`)
----
server enya.proxmox.com
content backup
fingerprint 09:54:ef:..snip..:88:af:47:fe:4c:3b:cf:8b:26:88:0b:4e:3c:b2
- maxfiles 0
+ prune-backups keep-all=1
username archiver@pbs
+ encryption-key a9:ee:c8:02:13:..snip..:2d:53:2c:98
+ master-pubkey 1
----
Storage Features
file-level based. {pve} uses block-level for virtual machines and file-level for
container.
-.Storage features for backend `cifs`
+.Storage features for backend `pbs`
[width="100%",cols="m,4*d",options="header"]
|===============================================================
|Content types |Image formats |Shared |Snapshots |Clones
|backup |n/a |yes |n/a |n/a
|===============================================================
-Examples
-~~~~~~~~
+[[storage_pbs_encryption]]
+Encryption
+~~~~~~~~~~
+
+[thumbnail="screenshot/storage-pbs-encryption-with-key.png"]
+
+Optionally, you can configure client-side encryption with AES-256 in GCM mode.
+Encryption can be configured either via the web interface, or on the CLI with
+the `encryption-key` option (see above). The key will be saved in the file
+`/etc/pve/priv/storage/<STORAGE-ID>.enc`, which is only accessible by the root
+user.
+
+WARNING: Without their key, backups will be inaccessible. Thus, you should
+keep keys ordered and in a place that is separate from the contents being
+backed up. It can happen, for example, that you back up an entire system, using
+a key on that system. If the system then becomes inaccessible for any reason
+and needs to be restored, this will not be possible as the encryption key will be
+lost along with the broken system.
+
+It is recommended that you keep your key safe, but easily accessible, in
+order for quick disaster recovery. For this reason, the best place to store it
+is in your password manager, where it is immediately recoverable. As a backup to
+this, you should also save the key to a USB flash drive and store that in a secure
+place. This way, it is detached from any system, but is still easy to recover
+from, in case of emergency. Finally, in preparation for the worst case scenario,
+you should also consider keeping a paper copy of your key locked away in a safe
+place. The `paperkey` subcommand can be used to create a QR encoded version of
+your key. The following command sends the output of the `paperkey` command to
+a text file, for easy printing.
+
+----
+# proxmox-backup-client key paperkey /etc/pve/priv/storage/<STORAGE-ID>.enc --output-format text > qrkey.txt
+----
+
+Additionally, it is possible to use a single RSA master key pair for key
+recovery purposes: configure all clients doing encrypted backups to use a
+single public master key, and all subsequent encrypted backups will contain a
+RSA-encrypted copy of the used AES encryption key. The corresponding private
+master key allows recovering the AES key and decrypting the backup even if the
+client system is no longer available.
+
+WARNING: The same safe-keeping rules apply to the master key pair as to the
+regular encryption keys. Without a copy of the private key recovery is not
+possible! The `paperkey` command supports generating paper copies of private
+master keys for storage in a safe, physical location.
+
+Because the encryption is managed on the client side, you can use the same
+datastore on the server for unencrypted backups and encrypted backups, even
+if they are encrypted with different keys. However, deduplication between
+backups with different keys is not possible, so it is often better to create
+separate datastores.
+
+NOTE: Do not use encryption if there is no benefit from it, for example, when
+you are running the server locally in a trusted network. It is always easier to
+recover from unencrypted backups.
+
+Example: Add Storage over CLI
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
// TODO: FIXME: add once available
//You can get a list of exported CIFS shares with: