Encryption options for PBS local storage and S3

P

pahanijulmu

New Member
Nov 4, 2025
8
1
3
I have one Proxmox PVE 9.0.9 server and Proxmox PBS 4.0.18 on separate hardware (Debian 13 server and ZFS pool). I'm planning to add Backblaze B2 as offsite backup. Just wanted to confirm that if I'd like backups to go PVE -> PBS -> S3 and have them encrypted in S3, first I need to set PBS datastore encrypted and all backups are going to be encrypted? And if I would need to restore directly from S3 to new PVE server I would need same encryption key used to encrypt backups to PBS?

Or if I want only S3 to be encrypted, then I would need to add it as separate storage and run separate backup jobs?
 
pahanijulmu said:
first I need to set PBS datastore encrypted and all backups are going to be encrypted?
Click to expand...
Encryption is currently handled on the client side only, so you will have to setup the PBS storage in PVE or your proxmox-backup-client to use encryption. There are plans to also implement some form of server side encryption, see https://bugzilla.proxmox.com/show_bug.cgi?id=6633

pahanijulmu said:
And if I would need to restore directly from S3 to new PVE server I would need same encryption key used to encrypt backups to PBS?
Click to expand...
You cannot restore directly from S3 to PVE, you will have to setup a PBS instance which uses the same endpoint and bucket and use that to setup the PBS storage on PVE using the same encryption keys.

pahanijulmu said:
Or if I want only S3 to be encrypted, then I would need to add it as separate storage and run separate backup jobs?
Click to expand...
Yes, you might want to setup a dedicated PBS storage on PVE side with encryption, being namespaced in PBS. But note that this will have side effects with respect to dirty bitmap tracking and de-duplication.
 
Thank you for the advice Chris. I noticed dirty bitmap issues when I tested different combinations so I think best way seems to be to backup first to PBS local storage and then do sync job so S3. It seems that I can just turn encryption on and next backups will be encrypted? And sync job has option to sync encrypted backups only.

And minimum I need to secure from current PVE and PBS servers is the .enc file from PVE?
 
Hi, I have a bit related question to this, also setting up S3 cloud storage for my PVE/PBS backups.
I use no encryption for any locally stored backups on my PBS server, this enables me to also browse these backups from the web-gui on my pbs host, I really like this feature for quick checks or to download few specific file from a given backup.
For the S3 cloud storage I use encryption, key's are on the pve host and used for any backups going to S3 cloud storage via the pbs host. Only for these backups I cannot browse them anymore via the web-gui of my pbs host since that doesn't have the key's, is there any way to provide the key's also to my pbs host to enable browsing of these backups via the web-gui of my pbs host ?
Anything I could find about encryption only talks about client-side encryption and how to manage key's for that, but couldn't find anything about key's on the pbs host itself.
 
HerrieMna said:
Anything I could find about encryption only talks about client-side encryption and how to manage key's for that, but couldn't find anything about key's on the pbs host itself.
Click to expand...
Check this reply from two posts above...
Chris said:
Encryption is currently handled on the client side only, so you will have to setup the PBS storage in PVE or your proxmox-backup-client to use encryption. There are plans to also implement some form of server side encryption, see https://bugzilla.proxmox.com/show_bug.cgi?id=6633
Click to expand...
 
Hi, thanks for your reply, I did read the previous post already but I'm not entirely sure if that is also related to my question.
The previous post is about having a simple password for S3 based repo from pbs, having something like that would also solve my problem if I would redo all my backups going into that repo. But I was wondering if it's possible to share the key's I use on pve host doing the backups to my pbs host so that also on the pbs hosts' web-gui I would still be able to browse all the backups, the not-encrypted ones but also the encrypted ones.
 
ah ok. no, the idea of the client side encryption is that the PBS servers don't have any access to the data. which makes it easy to sync to another PBS server that you either don't control physically, or not at all, as companies do offer shared PBS servers as a service.

So until you can enable encryption on the PBS server, e.g. not on the PVE host or other clients, you will have to browse encrypted backups on a client that has the encryption key.
 
You must log in or register to reply here.
Top Bottom