pve-storage-pbs.adoc

   1 [[storage_pbs]]
   2 Proxmox Backup Server
   3 ---------------------
   4 ifdef::wiki[]
   5 :pve-toplevel:
   6 :title: Storage: Proxmox Backup Server
   7 endif::wiki[]
   8
   9 Storage pool type: `pbs`
  10
  11 This backend allows direct integration of a Proxmox Backup Server into {pve}
  12 like any other storage.
  13 A Proxmox Backup storage can be added directly through the {pve} API, CLI or
  14 the webinterface.
  15
  16 Configuration
  17 ~~~~~~~~~~~~~
  18
  19 The backend supports all common storage properties, except the shared flag,
  20 which is always set. Additionally, the following special properties to Proxmox
  21 Backup Server are available:
  22
  23 server::
  24
  25 Server IP or DNS name. Required.
  26
  27 username::
  28
  29 The username for the Proxmox Backup Server storage. Required.
  30
  31 TIP: Do not forget to add the realm to the username. For example, `root@pam` or
  32 `archiver@pbs`.
  33
  34 password::
  35
  36 The user password. The value will be saved in a file under
  37 `/etc/pve/priv/storage/<STORAGE-ID>.pw` with access restricted to the root
  38 user. Required.
  39
  40 datastore::
  41
  42 The ID of the Proxmox Backup Server datastore to use. Required.
  43
  44 fingerprint::
  45
  46 The fingerprint of the Proxmox Backup Server API TLS certificate. You can get
  47 it in the Servers Dashboard or using the `proxmox-backup-manager cert info`
  48 command. Required for self-signed certificates or any other one where the host
  49 does not trusts the servers CA.
  50
  51 encryption-key::
  52
  53 A key to encrypt the backup data from the client side. Currently only
  54 non-password protected (no key derive function (kdf)) are supported. Will be
  55 saved in a file under `/etc/pve/priv/storage/<STORAGE-ID>.enc` with access
  56 restricted to the root user.  Use the magic value `autogen` to automatically
  57 generate a new one using `proxmox-backup-client key create --kdf none <path>`.
  58 Optional.
  59
  60 .Configuration Example (`/etc/pve/storage.cfg`)
  61 ----
  62 pbs: backup
  63         datastore main
  64         server enya.proxmox.com
  65         content backup
  66         fingerprint 09:54:ef:..snip..:88:af:47:fe:4c:3b:cf:8b:26:88:0b:4e:3c:b2
  67         maxfiles 0
  68         username archiver@pbs
  69 ----
  70
  71 Storage Features
  72 ~~~~~~~~~~~~~~~~
  73
  74 Proxmox Backup Server only supports backups, they can be block-level or
  75 file-level based. {pve} uses block-level for virtual machines and file-level for
  76 container.
  77
  78 .Storage features for backend `cifs`
  79 [width="100%",cols="m,4*d",options="header"]
  80 |===============================================================
  81 |Content types |Image formats |Shared |Snapshots |Clones
  82 |backup        |n/a           |yes    |n/a       |n/a
  83 |===============================================================
  84
  85 [[storage_pbs_encryption]]
  86 Encryption
  87 ~~~~~~~~~~
  88
  89 [thumbnail="screenshot/storage-pbs-encryption-with-key.png"]
  90
  91 Optionally, you can configure client-side encryption with AES-256 in GCM mode.
  92 Encryption can be configured either via the web interface, or on the CLI with
  93 the `encryption-key` option (see above). The key will be saved in the file
  94 `/etc/pve/priv/storage/<STORAGE-ID>.enc`, which is only accessible by the root
  95 user.
  96
  97 WARNING: Without their key, backups will be inaccessible. Thus, you should
  98 keep keys ordered and in a place that is separate from the contents being
  99 backed up. It can happen, for example, that you back up an entire system, using
 100 a key on that system. If the system then becomes inaccessible for any reason
 101 and needs to be restored, this will not be possible as the encryption key will be
 102 lost along with the broken system.
 103
 104 It is recommended that you keep your key safe, but easily accessible, in
 105 order for quick disaster recovery. For this reason, the best place to store it
 106 is in your password manager, where it is immediately recoverable. As a backup to
 107 this, you should also save the key to a USB drive and store that in a secure
 108 place. This way, it is detached from any system, but is still easy to recover
 109 from, in case of emergency. Finally, in preparation for the worst case scenario,
 110 you should also consider keeping a paper copy of your key locked away in a safe
 111 place. The `paperkey` subcommand can be used to create a QR encoded version of
 112 your key. The following command sends the output of the `paperkey` command to
 113 a text file, for easy printing.
 114
 115 ----
 116 # proxmox-backup-client key paperkey /etc/pve/priv/storage/<STORAGE-ID>.enc --output-format text > qrkey.txt
 117 ----
 118
 119 Because the encryption is managed on the client side, you can use the same
 120 datastore on the server for unencrypted backups and encrypted backups, even
 121 if they are encrypted with different keys. However, deduplication between
 122 backups with different keys is not possible, so it is often better to create
 123 separate datastores.
 124
 125 NOTE: Do not use encryption if there is no benefit from it, for example, when
 126 you are running the server locally in a trusted network. It is always easier to
 127 recover from unencrypted backups.
 128
 129 Example: Add Storage over CLI
 130 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 131
 132 // TODO: FIXME: add once available
 133 //You can get a list of exported CIFS shares with:
 134 //
 135 //----
 136 //# pvesm scan pbs <server> [--username <username>] [--password]
 137 //----
 138
 139 Then you could add this share as a storage to the whole {pve} cluster
 140 with:
 141
 142 ----
 143 # pvesm add pbs <id> --server <server> --datastore <datastore> --username <username> --fingerprint 00:B4:... --password
 144 ----
 145
 146 ifdef::wiki[]
 147
 148 See Also
 149 ~~~~~~~~
 150
 151 * link:/wiki/Storage[Storage]
 152
 153 endif::wiki[]