[SOLVED] Set up Proxmox Backup Client using systemd credentials

[smathes]

Hi,

I'm trying to set up a proxmox backup client systemd-unit using credentials management as described [here](https://pbs.proxmox.com/docs/backup-client.html#system-and-service-credentials).
When running the command from the cli on the client everything is working fine but having translated it into a service unit I'm encountering an error.

root@sampo:~# systemctl status backup-ncdata
× backup-ncdata.service - Perform backup of Nextcloud data using Proxmox Backup Client
     Loaded: loaded (/etc/systemd/system/backup-ncdata.service; static)
     Active: failed (Result: exit-code) since Sat 2025-06-28 22:23:54 CEST; 207ms ago
   Duration: 4.703s
    Process: 3614319 ExecStart=proxmox-backup-client backup <some-archive.pxar>:<source-dir> --dry-run (code=exited, status=255/EXCEPTION)
   Main PID: 3614319 (code=exited, status=255/EXCEPTION)
        CPU: 27ms

Jun 28 22:23:49 sampo.smathes.de systemd[1]: Started backup-ncdata.service - Perform backup of  data using Proxmox Backup Client.
Jun 28 22:23:49 sampo.smathes.de proxmox-backup-client[3614319]: Starting backup: host/sampo/2025-06-28T20:23:49Z
Jun 28 22:23:49 sampo.smathes.de proxmox-backup-client[3614319]: Client name: sampo
Jun 28 22:23:49 sampo.smathes.de proxmox-backup-client[3614319]: Starting backup protocol: Sat Jun 28 22:23:49 2025
Jun 28 22:23:54 sampo.smathes.de proxmox-backup-client[3614319]: Error: permission check failed.

My systemd-units looks like this:

root@sampo:~# systemctl cat backup-ncdata
# /etc/systemd/system/backup-ncdata.service
[Unit]
Description=Perform backup of Nextcloud data using Proxmox Backup Client

[Service]
ExecStart=proxmox-backup-client backup <some-archive.pxar>:<source-dir> --dry-run
SetCredential=proxmox-backup-client.repository:<backup-user>@pam@<host-address>:<datastore>
LoadCredentialEncrypted=proxmox-backup-client.password:/usr/local/lib/ciphertext.cred \

Am I missing something obvious? Has anyone gotten this to work?

Edit: I can get it to work passing the credetials in cleartext using `SetCredential=proxmox-backup-client.password:<supersecretpassword>` but neither `SetCredentialEncrypted` nor `LoadCredentialEncrypted` seem to work. Probing with `/usr/bin/systemd-creds cat proxmox-backup-client.password` yields the password just fine.

 

[Chris]

Hi,
just double checked with a similar setup as you have, credentials are loaded as expected. What version of the proxmox backup client do you use?

Could it simply be a typo in your systemd service file?

LoadCredentialEncrypted=proxmox-backup-client.password:/usr/local/lib/ciphertext.cred \

Note the trailing backslash which should not be there...

If not, how do you trigger the systemd service?

 

[smathes]

I've tested with and without the trailing slash, didn't make a difference.

client version is: 3.4.1, systemd version is 255 on ubuntu24.04

For testing I'm triggering the service manually via systemctl start/stop but I plan on using a timer unit once it's up and running.

I've also tried using an API-token vs. user credentials but both results in the same error message

 

[Chris]

<backup-user>@pam@<host-address>:<datastore>

Did you also double check the realm, user permissions and datastore as used in your systemd unit? How are the secrets encrypted? Using a secret from TPM2 chip or via key from file?

client version is: 3.4.1, systemd version is 255 on ubuntu24.04

Is this the statically linked binary or the regular one?

 

[smathes]

Did you also double check the realm, user permissions and datastore as used in your systemd unit?

Yup, I can use the same --repository string from the cli just fine.

How are the secrets encrypted? Using a secret from TPM2 chip or via key from file?

I used systemd-creds encrypt --name=proxmox-backup-client.password plaintext.txt ciphertext.cred but I've also tried passing it as encrypted string using SetCredentialEncrypted=proxmox-backup-client.password: and so on. The only thing which has worked so far is passing it via SetCredential in plaintext

Is this the statically linked binary or the regular one?

I'm using the regular one.

 

[Chris]

Ah yes, can reproduce it now. Didn't use the correctly encrypted token in my previous testing, which is why it initially worked for me. Will investigate further...

 

[Chris]

Okay, so works for me, but only with the token I had laying around from previous testing. My new token didn't work as well, because it included the newline in the file when encrypting it. Best is to pass in the password/secret via systemd-ask-password -n | systemd-creds encrypt --name=proxmox-backup-client.password - /path/to/your/encrypted.cred

Thanks @Maximiliano for the pointer!

 

[smathes]

Works like a charm, thank you very much @Chris @Maximiliano