Encryption

A

anonymous_user0414

New Member
Nov 15, 2022
28
3
3
Hello,

I have two questions.

is it possible to use a luks encrypted disk as storage?

can I mount and read an encrypted .img backup?

Thanks
 
anonymous_user0414 said:
Hello,

I have two questions.

is it possible to use a luks encrypted disk as storage?
Click to expand...

yes, but not in our bare metal installer (you need to install Debian yourself, and then install PVE on top) if you want to use it as root disk as well. if you just want to have an encrypted storage for guest disks and/or backups, you can setup the storage yourself and then tell PVE how to find it ;)

anonymous_user0414 said:
can I mount and read an encrypted .img backup?
Click to expand...
that depends what you mean by that - how was the .img file created and encrypted?
 
fabian said:
yes, but not in our bare metal installer (you need to install Debian yourself, and then install PVE on top) if you want to use it as root disk as well. if you just want to have an encrypted storage for guest disks and/or backups, you can setup the storage yourself and then tell PVE how to find it ;)
Click to expand...
Oh, that sounds great. Thank you for the quick reply.

i have proxmox installed on debian 11. how can i tell proxmox to use the luks image as storage?

actually i am talking about the PBS. there i want to use a luks disk as backup storage.
PBS is also installed on debian.


fabian said:
that depends what you mean by that - how was the .img file created and encrypted?
Click to expand...
for this i used the proxmox backup client. there i want to create an encrypted image and be able to mount it like i do with fuse on .pxar

# proxmox-backup-client mount host/backup-client/2020-01-29T11:29:22Z root.pxar /mnt/mountpoint

usual syntax to encrypt .pxar
# proxmox-backup-client backup etc.pxar:/etc --keyfile /path/to/my-backup.key

would that even work here?
# proxmox-backup-client backup etc.img:/etc --keyfile /path/to/my-backup.key
 
Last edited:
moved the thread to PBS accordingly ;)

anonymous_user0414 said:
actually i am talking about the PBS. there i want to use a luks disk as backup storage.
PBS is also installed on debian.
Click to expand...

if you have a luks disk mounted somewhere, simply use the "add datastore" dialogue with a directory on that mounted, encrypted disk (e.g., if you mount your luks disk to /encrypted, you could use /encrypted/datastore as path).

anonymous_user0414 said:
for this i used the proxmox backup client. there i want to create an encrypted image and be able to mount it like i do with fuse on .pxar
Click to expand...

the PBS client only supports its built in encryption and corresponding keys - all the restore/access features can then also use the same key to verify and decrypt the backups. there is also the option of using a "master key". this might come in handy if you have lots of different systems doing backups, since the encryption key needs to be available to the client doing the backup, but you might want to have different keys for each client. if you setup a master key, the client will store its encryption key encrypted for the public part of the master key pair on the PBS server, so you only need to keep the private part of the master key pair safe to recover all encrypted backups, instead of having to keep X encryption keys stored in a safe/.. somewhere. see the linked docs for details ;)
 
okay, i understood the first part. so i can add a datastore without adding an empty storage first. all right.

the second part doesn't quite answer my question. it's not about the restore, but only about mounting the encrypted backup in the host to view the content.
unfortunately this is not possible in the pbs gui once the backups are encrypted.
 
anonymous_user0414 said:
okay, i understood the first part. so i can add a datastore without adding an empty storage first. all right.

the second part doesn't quite answer my question. it's not about the restore, but only about mounting the encrypted backup in the host to view the content.
unfortunately this is not possible in the pbs gui once the backups are encrypted.
Click to expand...

the PBS server doesn't have the key, so it cannot access the contents of encrypted backups. you can use the PBS client together with the key to access the contents - via restore, file-restore, mount, catalog-shell, .. ;) you can do that on any system that has access to the PBS server, including on the PBS server itself if you want. file-restore for block-based ("fidx", ".img") backups require additional packages (the actual file listing and restore part happens in a special VM for this kind of backup), so it mostly makes sense to use a PVE host for that since it's ensured that those packages work there.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom