Add encryption after the fact

[IroesStrongarm]

I'm currently running two PBS servers. One onsite and one offsite. Based on how I had my network configured, I couldn't do a pull sync, so I've been doing a backup from PVE to each PBS nightly. Obviously this isn't the ideal way to do things. My onsite backups aren't currently encrypted, the offsite are. Now that 'push' has been added to PBS I'd like to do things more correctly. I have a few questions:

1. I see in PVE that I can add encryption to my onsite backup. Any harm in doing that while I have existing backups? Will it just encrypt future backups?
2. Assuming it's just future backups, and that I'm okay losing my historical backup data, should I delete all existing backups so I'll only have encrypted backups for syncing safety?
3. Can I use the encryption key from the offsite backup for the onsite one? This way my PVE server can decrypt backups from either location?
4. Would I want to delete the existing backups from the offsite PBS so that it starts fresh as a replication target from the onsite PBS?

I appreciate any help and clarification that can provided. Feel free to provide anything you think I might have missed that I should be aware of.

Thank you

 

[Johannes S]

1. I see in PVE that I can add encryption to my onsite backup. Any harm in doing that while I have existing backups? Will it just encrypt future backups?

Yes, as far I'm aware you can't encrypt uncrypted backups later. Would be happy to be wrong though.

2. Assuming it's just future backups, and that I'm okay losing my historical backup data, should I delete all existing backups so I'll only have encrypted backups for syncing safety?

Yes, if you want them encrypted.

3. Can I use the encryption key from the offsite backup for the onsite one? This way my PVE server can decrypt backups from either location?

Yes. Since in case of a takeover of your PVE the attacker know both keys anyhow I don't see much risk in differentiating between both. Obviouvsly you should keep this key at some safe place (e.G. a USB stick and a printout) so you can recover it if the need arise. Would be a shame not to be able to use the encrypted backups.

4. Would I want to delete the existing backups from the offsite PBS so that it starts fresh as a replication target from the onsite PBS?

I don't see much to gain from it tbh. I would do it the other way round: Sync your offsite backups to your local PBS so the local PBS have the encrypted versions. Any future backup will then be encrypted and profit from deduplication. Since download is usually faster than upload this is propably the most efficient approch.

But of course you can also delete them.

 

[IroesStrongarm]

Hey, thanks for taking the time. Just to confirm, on my first question, is there any harm in adding encryption to the already existing setup? I understand it won't encrypt existing backups, but it shouldn't break the setup as it currently stands, correct?

 

[khe]

Hey, thanks for taking the time. Just to confirm, on my first question, is there any harm in adding encryption to the already existing setup? I understand it won't encrypt existing backups, but it shouldn't break the setup as it currently stands, correct?

I assume, you might not be able to restore an existing backup, as it tries to unencrypt it which might not work. But I am not sure about that. But you could check that by just adding the key and try to restore a file …

Alternatively you create a namespace on the PBS and add a second backup storage to the PVE with the encryption key. You must adapt the backup jobs to use the new backup storage.

What I am sure of is, that in both cases the first encrypted backup will be like a full backup, as the chunk checksums will be different. So be sure that you have enough free space.

 

[IroesStrongarm]

I assume, you might not be able to restore an existing backup, as it tries to unencrypt it which might not work. But I am not sure about that. But you could check that by just adding the key and try to restore a file …

Alternatively you create a namespace on the PBS and add a second backup storage to the PVE with the encryption key. You must adapt the backup jobs to use the new backup storage.

What I am sure of is, that in both cases the first encrypted backup will be like a full backup, as the chunk checksums will be different. So be sure that you have enough free space.

I honestly had similar assumptions. I'm fully okay with losing all my existing backups so that won't be the end of the world.

I had also considered that it would likely cause the backups to be completely full and not deduped as all the blocks would be encrypted this time around. I do appreciate the warning on that however. I do have enough room currently on my main PBS for that.

 

[IroesStrongarm]

I assume, you might not be able to restore an existing backup, as it tries to unencrypt it which might not work. But I am not sure about that. But you could check that by just adding the key and try to restore a file …

Alternatively you create a namespace on the PBS and add a second backup storage to the PVE with the encryption key. You must adapt the backup jobs to use the new backup storage.

What I am sure of is, that in both cases the first encrypted backup will be like a full backup, as the chunk checksums will be different. So be sure that you have enough free space.

As a quick update. Went ahead and added the key. Took a backup. Was able to restore the unencrypted backup no problem. Fully tested it came up and worked. Then restored back from the fresh encrypted one.