From 8200df48fb531eebcbef49dd2f36a2895e80f483 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= Date: Tue, 22 Jun 2021 13:43:31 +0200 Subject: [PATCH] pbs: add information about master key support MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Fabian Grünbichler --- pve-storage-pbs.adoc | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/pve-storage-pbs.adoc b/pve-storage-pbs.adoc index c22f5b3..a3d7da1 100644 --- a/pve-storage-pbs.adoc +++ b/pve-storage-pbs.adoc @@ -57,6 +57,13 @@ restricted to the root user. Use the magic value `autogen` to automatically generate a new one using `proxmox-backup-client key create --kdf none `. Optional. +master-pubkey:: + +A public RSA key used to encrypt the backup encryption key as part of the +backup task. The encrypted copy will be appended to the backup and stored on +the Proxmox Backup Server instance for recovery purposes. +Optional, requires `encryption-key`. + .Configuration Example (`/etc/pve/storage.cfg`) ---- pbs: backup @@ -116,6 +123,18 @@ a text file, for easy printing. # proxmox-backup-client key paperkey /etc/pve/priv/storage/.enc --output-format text > qrkey.txt ---- +Additionally, it is possible to use a single RSA master key pair for key +recovery purposes: configure all clients doing encrypted backups to use a +single public master key, and all subsequent encrypted backups will contain a +RSA-encrypted copy of the used AES encryption key. The corresponding private +master key allows recovering the AES key and decrypting the backup even if the +client system is no longer available. + +WARNING: The same safe-keeping rules apply to the master key pair as to the +regular encryption keys. Without a copy of the private key recovery is not +possible! The `paperkey` command supports generating paper copies of private +master keys for storage in a safe, physical location. + Because the encryption is managed on the client side, you can use the same datastore on the server for unencrypted backups and encrypted backups, even if they are encrypted with different keys. However, deduplication between -- 2.39.2