]>
Commit | Line | Data |
---|---|---|
93e1d33e TL |
1 | [[storage_pbs]] |
2 | Proxmox Backup Server | |
3 | --------------------- | |
4 | ifdef::wiki[] | |
5 | :pve-toplevel: | |
6 | :title: Storage: Proxmox Backup Server | |
7 | endif::wiki[] | |
8 | ||
9 | Storage pool type: `pbs` | |
10 | ||
11 | This backend allows direct integration of a Proxmox Backup Server into {pve} | |
12 | like any other storage. | |
13 | A Proxmox Backup storage can be added directly through the {pve} API, CLI or | |
14 | the webinterface. | |
15 | ||
16 | Configuration | |
17 | ~~~~~~~~~~~~~ | |
18 | ||
19 | The backend supports all common storage properties, except the shared flag, | |
20 | which is always set. Additionally, the following special properties to Proxmox | |
21 | Backup Server are available: | |
22 | ||
23 | server:: | |
24 | ||
25 | Server IP or DNS name. Required. | |
26 | ||
27 | username:: | |
28 | ||
29 | The username for the Proxmox Backup Server storage. Required. | |
30 | ||
31 | TIP: Do not forget to add the realm to the username. For example, `root@pam` or | |
32 | `archiver@pbs`. | |
33 | ||
34 | password:: | |
35 | ||
36 | The user password. The value will be saved in a file under | |
92192603 TL |
37 | `/etc/pve/priv/storage/<STORAGE-ID>.pw` with access restricted to the root |
38 | user. Required. | |
93e1d33e TL |
39 | |
40 | datastore:: | |
41 | ||
42 | The ID of the Proxmox Backup Server datastore to use. Required. | |
43 | ||
44 | fingerprint:: | |
45 | ||
46 | The fingerprint of the Proxmox Backup Server API TLS certificate. You can get | |
47 | it in the Servers Dashboard or using the `proxmox-backup-manager cert info` | |
48 | command. Required for self-signed certificates or any other one where the host | |
49 | does not trusts the servers CA. | |
50 | ||
51 | encryption-key:: | |
52 | ||
53 | A key to encrypt the backup data from the client side. Currently only | |
54 | non-password protected (no key derive function (kdf)) are supported. Will be | |
92192603 TL |
55 | saved in a file under `/etc/pve/priv/storage/<STORAGE-ID>.enc` with access |
56 | restricted to the root user. Use the magic value `autogen` to automatically | |
57 | generate a new one using `proxmox-backup-client key create --kdf none <path>`. | |
58 | Optional. | |
93e1d33e TL |
59 | |
60 | .Configuration Example (`/etc/pve/storage.cfg`) | |
61 | ---- | |
62 | pbs: backup | |
63 | datastore main | |
64 | server enya.proxmox.com | |
65 | content backup | |
66 | fingerprint 09:54:ef:..snip..:88:af:47:fe:4c:3b:cf:8b:26:88:0b:4e:3c:b2 | |
67 | maxfiles 0 | |
68 | username archiver@pbs | |
69 | ---- | |
70 | ||
71 | Storage Features | |
72 | ~~~~~~~~~~~~~~~~ | |
73 | ||
74 | Proxmox Backup Server only supports backups, they can be block-level or | |
75 | file-level based. {pve} uses block-level for virtual machines and file-level for | |
76 | container. | |
77 | ||
78 | .Storage features for backend `cifs` | |
79 | [width="100%",cols="m,4*d",options="header"] | |
80 | |=============================================================== | |
81 | |Content types |Image formats |Shared |Snapshots |Clones | |
82 | |backup |n/a |yes |n/a |n/a | |
83 | |=============================================================== | |
84 | ||
1658c673 FE |
85 | [[storage_pbs_encryption]] |
86 | Encryption | |
87 | ~~~~~~~~~~ | |
88 | ||
55ebc079 TL |
89 | [thumbnail="screenshot/storage-pbs-encryption-with-key.png"] |
90 | ||
1658c673 FE |
91 | Optionally, you can configure client-side encryption with AES-256 in GCM mode. |
92 | Encryption can be configured either via the web interface, or on the CLI with | |
93 | the `encryption-key` option (see above). The key will be saved in the file | |
94 | `/etc/pve/priv/storage/<STORAGE-ID>.enc`, which is only accessible by the root | |
95 | user. | |
96 | ||
97 | WARNING: Without their key, backups will be inaccessible. Thus, you should | |
98 | keep keys ordered and in a place that is separate from the contents being | |
99 | backed up. It can happen, for example, that you back up an entire system, using | |
100 | a key on that system. If the system then becomes inaccessible for any reason | |
101 | and needs to be restored, this will not be possible as the encryption key will be | |
102 | lost along with the broken system. | |
103 | ||
f1edca2e | 104 | It is recommended that you keep your key safe, but easily accessible, in |
1658c673 FE |
105 | order for quick disaster recovery. For this reason, the best place to store it |
106 | is in your password manager, where it is immediately recoverable. As a backup to | |
107 | this, you should also save the key to a USB drive and store that in a secure | |
108 | place. This way, it is detached from any system, but is still easy to recover | |
109 | from, in case of emergency. Finally, in preparation for the worst case scenario, | |
f1edca2e FE |
110 | you should also consider keeping a paper copy of your key locked away in a safe |
111 | place. The `paperkey` subcommand can be used to create a QR encoded version of | |
112 | your key. The following command sends the output of the `paperkey` command to | |
113 | a text file, for easy printing. | |
1658c673 FE |
114 | |
115 | ---- | |
f1edca2e | 116 | # proxmox-backup-client key paperkey /etc/pve/priv/storage/<STORAGE-ID>.enc --output-format text > qrkey.txt |
1658c673 FE |
117 | ---- |
118 | ||
119 | Because the encryption is managed on the client side, you can use the same | |
120 | datastore on the server for unencrypted backups and encrypted backups, even | |
121 | if they are encrypted with different keys. However, deduplication between | |
122 | backups with different keys is not possible, so it is often better to create | |
123 | separate datastores. | |
124 | ||
125 | NOTE: Do not use encryption if there is no benefit from it, for example, when | |
126 | you are running the server locally in a trusted network. It is always easier to | |
127 | recover from unencrypted backups. | |
128 | ||
2309c050 TL |
129 | Example: Add Storage over CLI |
130 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
93e1d33e TL |
131 | |
132 | // TODO: FIXME: add once available | |
133 | //You can get a list of exported CIFS shares with: | |
134 | // | |
135 | //---- | |
136 | //# pvesm scan pbs <server> [--username <username>] [--password] | |
137 | //---- | |
138 | ||
139 | Then you could add this share as a storage to the whole {pve} cluster | |
140 | with: | |
141 | ||
142 | ---- | |
143 | # pvesm add pbs <id> --server <server> --datastore <datastore> --username <username> --fingerprint 00:B4:... --password | |
144 | ---- | |
145 | ||
146 | ifdef::wiki[] | |
147 | ||
148 | See Also | |
149 | ~~~~~~~~ | |
150 | ||
151 | * link:/wiki/Storage[Storage] | |
152 | ||
153 | endif::wiki[] |