Encryption options for PBS local storage and S3

P

pahanijulmu

New Member
Nov 4, 2025
2
0
1
I have one Proxmox PVE 9.0.9 server and Proxmox PBS 4.0.18 on separate hardware (Debian 13 server and ZFS pool). I'm planning to add Backblaze B2 as offsite backup. Just wanted to confirm that if I'd like backups to go PVE -> PBS -> S3 and have them encrypted in S3, first I need to set PBS datastore encrypted and all backups are going to be encrypted? And if I would need to restore directly from S3 to new PVE server I would need same encryption key used to encrypt backups to PBS?

Or if I want only S3 to be encrypted, then I would need to add it as separate storage and run separate backup jobs?
 
pahanijulmu said:
first I need to set PBS datastore encrypted and all backups are going to be encrypted?
Click to expand...
Encryption is currently handled on the client side only, so you will have to setup the PBS storage in PVE or your proxmox-backup-client to use encryption. There are plans to also implement some form of server side encryption, see https://bugzilla.proxmox.com/show_bug.cgi?id=6633

pahanijulmu said:
And if I would need to restore directly from S3 to new PVE server I would need same encryption key used to encrypt backups to PBS?
Click to expand...
You cannot restore directly from S3 to PVE, you will have to setup a PBS instance which uses the same endpoint and bucket and use that to setup the PBS storage on PVE using the same encryption keys.

pahanijulmu said:
Or if I want only S3 to be encrypted, then I would need to add it as separate storage and run separate backup jobs?
Click to expand...
Yes, you might want to setup a dedicated PBS storage on PVE side with encryption, being namespaced in PBS. But note that this will have side effects with respect to dirty bitmap tracking and de-duplication.
 
Thank you for the advice Chris. I noticed dirty bitmap issues when I tested different combinations so I think best way seems to be to backup first to PBS local storage and then do sync job so S3. It seems that I can just turn encryption on and next backups will be encrypted? And sync job has option to sync encrypted backups only.

And minimum I need to secure from current PVE and PBS servers is the .enc file from PVE?
 
You must log in or register to reply here.
Top Bottom