X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=pve-storage-pbs.adoc;h=c22f5b320cf6e59f78b97701a8340599302f23ae;hb=67558489055a7538728d6f1c4f2e467ea26ad88e;hp=75ec061ce5597d5365ea82d5d9add99aac037012;hpb=2309c050578eaebf14460a90a3a0ca3cf825be4e;p=pve-docs.git diff --git a/pve-storage-pbs.adoc b/pve-storage-pbs.adoc index 75ec061..c22f5b3 100644 --- a/pve-storage-pbs.adoc +++ b/pve-storage-pbs.adoc @@ -86,6 +86,8 @@ container. Encryption ~~~~~~~~~~ +[thumbnail="screenshot/storage-pbs-encryption-with-key.png"] + Optionally, you can configure client-side encryption with AES-256 in GCM mode. Encryption can be configured either via the web interface, or on the CLI with the `encryption-key` option (see above). The key will be saved in the file @@ -99,19 +101,19 @@ a key on that system. If the system then becomes inaccessible for any reason and needs to be restored, this will not be possible as the encryption key will be lost along with the broken system. -It is recommended that you keep your keys safe, but easily accessible, in +It is recommended that you keep your key safe, but easily accessible, in order for quick disaster recovery. For this reason, the best place to store it is in your password manager, where it is immediately recoverable. As a backup to this, you should also save the key to a USB drive and store that in a secure place. This way, it is detached from any system, but is still easy to recover from, in case of emergency. Finally, in preparation for the worst case scenario, -you should also consider keeping a paper copy of your master key locked away in -a safe place. The `paperkey` subcommand can be used to create a QR encoded -version of your master key. The following command sends the output of the -`paperkey` command to a text file, for easy printing. +you should also consider keeping a paper copy of your key locked away in a safe +place. The `paperkey` subcommand can be used to create a QR encoded version of +your key. The following command sends the output of the `paperkey` command to +a text file, for easy printing. ---- -# proxmox-backup-client key paperkey --output-format text > qrkey.txt +# proxmox-backup-client key paperkey /etc/pve/priv/storage/.enc --output-format text > qrkey.txt ---- Because the encryption is managed on the client side, you can use the same