[SOLVED] Encryption keys recovery - possible?

[DerekG]

Hi all,

I'm posting this here on the off chance that there is a solution to my problem.

I have a fully operational PBS with encrypted backup for around the last 2-3 years.

I recently setup a second PBS for use as an off-site synced backup server, all is working except I can restore from the new server due to the wrong encryption keys.

I do have the text of some keys stored, but none of them seem to work, and this situation has actually highlighted the fact that was my original pbs to fail, I wouldn't be able to rebuild and recover any of those backups.

Is there any possible way that I can recover the encryption keys from the original pbs, or do I have to start the entire backup process again?
(For information, this is a home-lab with around 25 active VM's/CT's, but my backup datastore has around 60 of them)

Any assistance would be much appreciated.

Thanks - DerekG

 

[Neobin]

If the PBS in question is still added/present as a storage in a PVE, have a look in: /etc/pve/priv/storage/ (the .enc file(s)) on that PVE.

 

[DerekG]

Perfect,

I found the enc file, added to the 2nd pbs, and now I can restore the synced backup OK.

I've also stored the file in a safe location so both of my issues are solved.

Thank you Neobin, that saved me a lot of work here.

 

[rudolfo1967]

@DerekG : Could you please explain how you did this => adding .enc file to the remote PBS - just put that file in the same directory as on the first PBS?

 

[DerekG]

@DerekG : Could you please explain how you did this => adding .enc file to the remote PBS - just put that file in the same directory as on the first PBS?

Is the original Proxmox host still operational?
If yes:
The encryption key file for Proxmox Backup Server (PBS) is stored in the file /etc/pve/priv/storage/.enc on the Proxmox host.

I suggest that you keep this file in a password manager or somewhere else as it will be needed if you recreate the Proxmox host and want access to the backup in PBS.

Hope that helps.

 

[rudolfo1967]

Hello @DerekG - i copied the .enc and .pw file from the original host to the same directory on the new host. But when i try to restore an encrypted backup i get an error => see attachment

 

[DerekG]

Hello @DerekG - i copied the .enc and .pw file from the original host to the same directory on the new host. But when i try to restore an encrypted backup i get an error => see attachment View attachment 91806

Did you reboot after copying the key? I don't know enough to understand which services need to be restarted.

That error is telling you that the encryption was created with a different key. The only way to restore is to have the PBS backup and the PVE keys match.

 

[rudolfo1967]

@DerekG - No - i did not do a reboot. So you mean that the copied key is only read at boot time. I will try it. Thank you for your guess.

 

[rudolfo1967]

Also after a reboot of the remote PVE Host i am not able to do a restore of that encrypted backup. Additional to the error shown in post #6 i tried to go further with the restore attempt leading to the following message:


Maybe this kind of restore can not be done via GUI and should be done via a command line with additional options regarding which .enc file to use?

 

[DerekG]

Also after a reboot of the remote PVE Host i am not able to do a restore of that encrypted backup. Additional to the error shown in post #6 i tried to go further with the restore attempt leading to the following message:
View attachment 91815

Maybe this kind of restore can not be done via GUI and should be done via a command line with additional options regarding which .enc file to use?

Are you trying to do a backup or a restore of an existing backup there? What were the steps taken which led you to this point? Did you re-install the Proxmox host?

Are you talking about a backup to PBS or a regular backup to the Datacentre storage.?

Check the Datacentre -> Storage -> Backup store -> Encryption tab, that should show the encryption status as active.
However, if you had reinstalled the Proxmox host that would have created a new encryption key which will not match the one in your backup store.

 

[rudolfo1967]

The concept was: VM at cluster A was backuped with PBS A => then via push sync of the backup datastore replicating the backup from the vm from site A to a remote site B to a PBS B datastore. That datastore was imported into Cluster B datastores to be able to restore that vm (to see it in the GUI) to a pve node in Cluster B.

I also tried to export the encryptionkey.json file from Cluster A editing the datastore added from the PBS A at site A.
Then tried to imort that encryptionkey.json on the remote site B in the datastore of PBS B (where the replicated, encrypted backup files from site a are) within the GUI: GUI: Datacenter → Storage → datastore from pbs B → Edit → „Upload an existing client encryption key“ → encryptionkey.json

After that i tried a restore of that vm from that datastore in site B and now i get the error:
proxmox-backup-client failed: Error: no password input mechanism available (500)

(of course during the export of the encryption-key on site a i was asked for a password during the export process. And i set one.

 

[DerekG]

Ah, too complex an install to blow the PBS B away and rebuild.

As I stated, in the PVE B DataCentre -> Storage -> Your_Backup_Store - > Encryption tab, the encryption should be active and the same as that on PVE A.

Actually the system you have setup is similar to my install, only on a larger scale and my PBS B pulls the backups from A. The key (no pun intended) is to ensure that the encryption keys are trusted throughout the chain, on PVE A & B and on PBS A & B. The same key must be used throughout, otherwise you will get the error you are now seeing.

Note: I have the actual 'your_backup.enc' file saved from PVE and used that in my case
Note: The encryption key has no relation to the SSL certificate used for authentication between PVE & PBS.

 

[rudolfo1967]

@DerekG - Thank you for your suggestions! Historically it seems that the original .enc - file is lost with the host where that VM was initially backed up. The VM was moved to another PVE host in the cluster and the former PVE Host was removed without securing that .enc file.
Anyway => i started from scratch with that VM backup and will make a test-restore then.
Thank you for your assistance!