6 :title: Storage: Proxmox Backup Server
9 Storage pool type: `pbs`
11 This backend allows direct integration of a Proxmox Backup Server into {pve}
12 like any other storage.
13 A Proxmox Backup storage can be added directly through the {pve} API, CLI or
19 The backend supports all common storage properties, except the shared flag,
20 which is always set. Additionally, the following special properties to Proxmox
21 Backup Server are available:
25 Server IP or DNS name. Required.
29 The username for the Proxmox Backup Server storage. Required.
31 TIP: Do not forget to add the realm to the username. For example, `root@pam` or
36 The user password. The value will be saved in a file under
37 `/etc/pve/priv/storage/<STORAGE-ID>.pw` with access restricted to the root
42 The ID of the Proxmox Backup Server datastore to use. Required.
46 The fingerprint of the Proxmox Backup Server API TLS certificate. You can get
47 it in the Servers Dashboard or using the `proxmox-backup-manager cert info`
48 command. Required for self-signed certificates or any other one where the host
49 does not trusts the servers CA.
53 A key to encrypt the backup data from the client side. Currently only
54 non-password protected (no key derive function (kdf)) are supported. Will be
55 saved in a file under `/etc/pve/priv/storage/<STORAGE-ID>.enc` with access
56 restricted to the root user. Use the magic value `autogen` to automatically
57 generate a new one using `proxmox-backup-client key create --kdf none <path>`.
62 A public RSA key used to encrypt the backup encryption key as part of the
63 backup task. The encrypted copy will be appended to the backup and stored on
64 the Proxmox Backup Server instance for recovery purposes.
65 Optional, requires `encryption-key`.
67 .Configuration Example (`/etc/pve/storage.cfg`)
71 server enya.proxmox.com
73 fingerprint 09:54:ef:..snip..:88:af:47:fe:4c:3b:cf:8b:26:88:0b:4e:3c:b2
81 Proxmox Backup Server only supports backups, they can be block-level or
82 file-level based. {pve} uses block-level for virtual machines and file-level for
85 .Storage features for backend `cifs`
86 [width="100%",cols="m,4*d",options="header"]
87 |===============================================================
88 |Content types |Image formats |Shared |Snapshots |Clones
89 |backup |n/a |yes |n/a |n/a
90 |===============================================================
92 [[storage_pbs_encryption]]
96 [thumbnail="screenshot/storage-pbs-encryption-with-key.png"]
98 Optionally, you can configure client-side encryption with AES-256 in GCM mode.
99 Encryption can be configured either via the web interface, or on the CLI with
100 the `encryption-key` option (see above). The key will be saved in the file
101 `/etc/pve/priv/storage/<STORAGE-ID>.enc`, which is only accessible by the root
104 WARNING: Without their key, backups will be inaccessible. Thus, you should
105 keep keys ordered and in a place that is separate from the contents being
106 backed up. It can happen, for example, that you back up an entire system, using
107 a key on that system. If the system then becomes inaccessible for any reason
108 and needs to be restored, this will not be possible as the encryption key will be
109 lost along with the broken system.
111 It is recommended that you keep your key safe, but easily accessible, in
112 order for quick disaster recovery. For this reason, the best place to store it
113 is in your password manager, where it is immediately recoverable. As a backup to
114 this, you should also save the key to a USB drive and store that in a secure
115 place. This way, it is detached from any system, but is still easy to recover
116 from, in case of emergency. Finally, in preparation for the worst case scenario,
117 you should also consider keeping a paper copy of your key locked away in a safe
118 place. The `paperkey` subcommand can be used to create a QR encoded version of
119 your key. The following command sends the output of the `paperkey` command to
120 a text file, for easy printing.
123 # proxmox-backup-client key paperkey /etc/pve/priv/storage/<STORAGE-ID>.enc --output-format text > qrkey.txt
126 Additionally, it is possible to use a single RSA master key pair for key
127 recovery purposes: configure all clients doing encrypted backups to use a
128 single public master key, and all subsequent encrypted backups will contain a
129 RSA-encrypted copy of the used AES encryption key. The corresponding private
130 master key allows recovering the AES key and decrypting the backup even if the
131 client system is no longer available.
133 WARNING: The same safe-keeping rules apply to the master key pair as to the
134 regular encryption keys. Without a copy of the private key recovery is not
135 possible! The `paperkey` command supports generating paper copies of private
136 master keys for storage in a safe, physical location.
138 Because the encryption is managed on the client side, you can use the same
139 datastore on the server for unencrypted backups and encrypted backups, even
140 if they are encrypted with different keys. However, deduplication between
141 backups with different keys is not possible, so it is often better to create
144 NOTE: Do not use encryption if there is no benefit from it, for example, when
145 you are running the server locally in a trusted network. It is always easier to
146 recover from unencrypted backups.
148 Example: Add Storage over CLI
149 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
151 // TODO: FIXME: add once available
152 //You can get a list of exported CIFS shares with:
155 //# pvesm scan pbs <server> [--username <username>] [--password]
158 Then you could add this share as a storage to the whole {pve} cluster
162 # pvesm add pbs <id> --server <server> --datastore <datastore> --username <username> --fingerprint 00:B4:... --password
170 * link:/wiki/Storage[Storage]
projects / pve-docs.git / blob