[SOLVED] Encryption keys recovery - possible?

[DerekG]

Hi all,

I'm posting this here on the off chance that there is a solution to my problem.

I have a fully operational PBS with encrypted backup for around the last 2-3 years.

I recently setup a second PBS for use as an off-site synced backup server, all is working except I can restore from the new server due to the wrong encryption keys.

I do have the text of some keys stored, but none of them seem to work, and this situation has actually highlighted the fact that was my original pbs to fail, I wouldn't be able to rebuild and recover any of those backups.

Is there any possible way that I can recover the encryption keys from the original pbs, or do I have to start the entire backup process again?
(For information, this is a home-lab with around 25 active VM's/CT's, but my backup datastore has around 60 of them)

Any assistance would be much appreciated.

Thanks - DerekG

 

[Neobin]

If the PBS in question is still added/present as a storage in a PVE, have a look in: /etc/pve/priv/storage/ (the .enc file(s)) on that PVE.

 

[DerekG]

Perfect,

I found the enc file, added to the 2nd pbs, and now I can restore the synced backup OK.

I've also stored the file in a safe location so both of my issues are solved.

Thank you Neobin, that saved me a lot of work here.

 

[rudolfo1967]

@DerekG : Could you please explain how you did this => adding .enc file to the remote PBS - just put that file in the same directory as on the first PBS?

 

[DerekG]

@DerekG : Could you please explain how you did this => adding .enc file to the remote PBS - just put that file in the same directory as on the first PBS?

Is the original Proxmox host still operational?
If yes:
The encryption key file for Proxmox Backup Server (PBS) is stored in the file /etc/pve/priv/storage/.enc on the Proxmox host.

I suggest that you keep this file in a password manager or somewhere else as it will be needed if you recreate the Proxmox host and want access to the backup in PBS.

Hope that helps.

 

[rudolfo1967]

Hello @DerekG - i copied the .enc and .pw file from the original host to the same directory on the new host. But when i try to restore an encrypted backup i get an error => see attachment

 

[DerekG]

Hello @DerekG - i copied the .enc and .pw file from the original host to the same directory on the new host. But when i try to restore an encrypted backup i get an error => see attachment View attachment 91806

Did you reboot after copying the key? I don't know enough to understand which services need to be restarted.

That error is telling you that the encryption was created with a different key. The only way to restore is to have the PBS backup and the PVE keys match.

 

[rudolfo1967]

@DerekG - No - i did not do a reboot. So you mean that the copied key is only read at boot time. I will try it. Thank you for your guess.

 

[rudolfo1967]

Also after a reboot of the remote PVE Host i am not able to do a restore of that encrypted backup. Additional to the error shown in post #6 i tried to go further with the restore attempt leading to the following message:


Maybe this kind of restore can not be done via GUI and should be done via a command line with additional options regarding which .enc file to use?

 

[DerekG]

Also after a reboot of the remote PVE Host i am not able to do a restore of that encrypted backup. Additional to the error shown in post #6 i tried to go further with the restore attempt leading to the following message:
View attachment 91815

Maybe this kind of restore can not be done via GUI and should be done via a command line with additional options regarding which .enc file to use?

Are you trying to do a backup or a restore of an existing backup there? What were the steps taken which led you to this point? Did you re-install the Proxmox host?

Are you talking about a backup to PBS or a regular backup to the Datacentre storage.?

Check the Datacentre -> Storage -> Backup store -> Encryption tab, that should show the encryption status as active.
However, if you had reinstalled the Proxmox host that would have created a new encryption key which will not match the one in your backup store.

 

[rudolfo1967]

The concept was: VM at cluster A was backuped with PBS A => then via push sync of the backup datastore replicating the backup from the vm from site A to a remote site B to a PBS B datastore. That datastore was imported into Cluster B datastores to be able to restore that vm (to see it in the GUI) to a pve node in Cluster B.

I also tried to export the encryptionkey.json file from Cluster A editing the datastore added from the PBS A at site A.
Then tried to imort that encryptionkey.json on the remote site B in the datastore of PBS B (where the replicated, encrypted backup files from site a are) within the GUI: GUI: Datacenter → Storage → datastore from pbs B → Edit → „Upload an existing client encryption key“ → encryptionkey.json

After that i tried a restore of that vm from that datastore in site B and now i get the error:
proxmox-backup-client failed: Error: no password input mechanism available (500)

(of course during the export of the encryption-key on site a i was asked for a password during the export process. And i set one.

 

[DerekG]

Ah, too complex an install to blow the PBS B away and rebuild.

As I stated, in the PVE B DataCentre -> Storage -> Your_Backup_Store - > Encryption tab, the encryption should be active and the same as that on PVE A.

Actually the system you have setup is similar to my install, only on a larger scale and my PBS B pulls the backups from A. The key (no pun intended) is to ensure that the encryption keys are trusted throughout the chain, on PVE A & B and on PBS A & B. The same key must be used throughout, otherwise you will get the error you are now seeing.

Note: I have the actual 'your_backup.enc' file saved from PVE and used that in my case
Note: The encryption key has no relation to the SSL certificate used for authentication between PVE & PBS.