Yes, that's the idea. It's however recommended to install PBS barebones on a physical server so you don't need a running hypervisor for recovery.
See here:
https://forum.proxmox.com/threads/migrating-pbs-to-new-server-re-adding-datastore.157159/
It depends, at the moment (see the references from Dunuin) not for S3, but for PBS native datastores (which are faster for local backups anyway) on a local disc. So the idea would be to have a second PBS at an offsite location and setup a sync job to sync your locally encrypted datastores to the offsite PBS:
https://pve.proxmox.com/wiki/Storage:_Proxmox_Backup_Server#storage_pbs_encryption
For sync jobs see here:
https://pbs.proxmox.com/docs/managing-remotes.html
Important: If you combine a pull-sync (the remote PBS pulls from the local PBS) and you restrict the access to the remote PBS with a firewall and tight permissions you can achieve ransomware protection that way:
https://pbs.proxmox.com/docs/storage.html#ransomware-protection-recovery
Another option might be to use the S3-storage providers internal access control and protection mechanisms.
However I noticed that the PVE wiki mentions that it's possible to have client-level encyprtions right from the first backup from your ProxmoxVE to ProxmoxBackupServer (see here:
https://pve.proxmox.com/wiki/Storage:_Proxmox_Backup_Server#storage_pbs_encryption )
In my understanding this means, that as soon as your backup was encrypted on the client it will be synced encrypted to anything else (be it a local or remote PBS or a S3 datastore). I asked developer
@Chris to clarify:
No, this is currently not planned, but given that datastore plain text datastore contents can be synced to a potentially less or un-trusted provider, it could make sense to add an additional server side encryption layer. Note however that there are also server side encryption options for buckets. But do open an enhancement request for this at
https://bugzilla.proxmox.com linking this post (the thread itself is to crowded to be liked as a whole).
Hm, did I miss something but do I understand correctly that client-encrypted backups (like described on...
Indeed this is how it works, so you could start with encryptions right from the start and it will be encrypted on your s3-storage too:
Hm, did I miss something but do I understand correctly that client-encrypted backups (like described on
https://pve.proxmox.com/wiki/Storage:_Proxmox_Backup_Server#storage_pbs_encryption ) are encrypted in any case, even if the first datastore used by the PBS is on a S3 storage? I mean the feature request is about adding server-level encryption (e.g. for encrypting a datastore before offsite replication) while the wiki-page is about client-level encryption.
Yes, client side encrypted snapshots are and will be encrypted also on the s3 backend. As you understood correctly, the...
As far I know it should be sufficient to backup the /etc/ folder with a backup tool of your choice (in theory even the proxmox-backup-client for backing up to a PBS would work, but I would use something different like rsnapshot, restic or even zfs snapshots with zfs send/receive so I don't need a working PBS to get a working PBS). But since the PBS default install doesn't need much space I would propably go with a backup of the whole PBS OS disc. Another option (if you run PBS as a VM) could be to use ProxmoxVEs native backup feature to a NFS share or something similiar, since that doesn't need a working PBS for backup and restore. Of course this counterdicts the recommendation for a baremetal PBS, pick your poison
Really appreciated!