How to do encrypted backups

[ntimo]

Hey,
I would like to do a encrypted backup of my virtual machines to my Proxmox Backup Server. How can I do this? From what I have found in the docs I can create a key using proxmox-backup-client key. But how can I use this key for my scheduled backups?

Thanks for your help,
Timo

 

[t.lamprecht]

Hi,

you can create a autogenerated key for a storage using:
pvesm set <storage-id> --encryption-key autogen if you use a recent enough libpve-storage-perl package (>= 6.2-3).
Container backed up to this storage should be then encrypted by default, VMs too but, IIRC, there maybe something missing.

We'll work on integrating the encryption support better and more obvious into Proxmox VE.

 

[ntimo]

Hi,

you can create a autogenerated key for a storage using:
pvesm set <storage-id> --encryption-key autogen if you use a recent enough libpve-storage-perl package (>= 6.2-3).
Container backed up to this storage should be then encrypted by default, VMs too but, IIRC, there maybe something missing.

We'll work on integrating the encryption support better and more obvious into Proxmox VE.

So this is going to encrypt my pve host storage? And how can I encrypt the already existing virtual machines and containers? And can I simply use this to encrypt the pbs storage? So that I run pvesm set pbsstroagerepo --encryption-key autogen on my pve host.

 

[ntimo]

Because if I try it for my local storage on my home lab server it throws an error:

root@pve01:~# pvesm set local-zfs --encryption-key autogen
update storage failed: error during cfs-locked 'file-storage_cfg' operation: unexpected property 'encryption-key'

 

[t.lamprecht]

So this is going to encrypt my pve host storage?

What, no. The VM/CT backups made on this storage.

And how can I encrypt the already existing virtual machines and containers?

The disk images of containers or virtual machines are not encrypted them self, their backup is.

update storage failed: error during cfs-locked 'file-storage_cfg' operation: unexpected property 'encryption-key'

Well, do you have that update:

libpve-storage-perl package (>= 6.2-3).

(pveversion -v)

 

[ntimo]

What, no. The VM/CT backups made on this storage.


The disk images of containers or virtual machines are not encrypted them self, their backup is.



Well, do you have that update:

(pveversion -v)

I have just updated my lab host at home to the latest version and with this version the above command fails.

root@pve01:~# pveversion -v
proxmox-ve: 6.2-1 (running kernel: 5.4.44-2-pve)
pve-manager: 6.2-9 (running version: 6.2-9/4d363c5b)
pve-kernel-5.4: 6.2-4
pve-kernel-helper: 6.2-4
pve-kernel-5.3: 6.1-6
pve-kernel-5.0: 6.0-11
pve-kernel-5.4.44-2-pve: 5.4.44-2
pve-kernel-5.4.41-1-pve: 5.4.41-1
pve-kernel-5.3.18-3-pve: 5.3.18-3
pve-kernel-5.0.21-5-pve: 5.0.21-10
pve-kernel-5.0.15-1-pve: 5.0.15-1
ceph-fuse: 14.2.9-pve1
corosync: 3.0.4-pve1
criu: 3.11-3
glusterfs-client: 5.5-3
ifupdown: residual config
ifupdown2: 3.0.0-1+pve2
ksm-control-daemon: 1.3-1
libjs-extjs: 6.0.1-10
libknet1: 1.16-pve1
libproxmox-acme-perl: 1.0.4
libpve-access-control: 6.1-2
libpve-apiclient-perl: 3.0-3
libpve-common-perl: 6.1-5
libpve-guest-common-perl: 3.1-1
libpve-http-server-perl: 3.0-6
libpve-network-perl: 0.4-6
libpve-storage-perl: 6.2-3
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve4
lxc-pve: 4.0.2-1
lxcfs: 4.0.3-pve3
novnc-pve: 1.1.0-1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.2-9
pve-cluster: 6.1-8
pve-container: 3.1-11
pve-docs: 6.2-5
pve-edk2-firmware: 2.20200531-1
pve-firewall: 4.1-2
pve-firmware: 3.1-1
pve-ha-manager: 3.0-9
pve-i18n: 2.1-3
pve-qemu-kvm: 5.0.0-10
pve-xtermjs: 4.3.0-1
qemu-server: 6.2-10
smartmontools: 7.1-pve2
spiceterm: 3.1-1
vncterm: 1.6-1
zfsutils-linux: 0.8.4-pve1
root@pve01:~#

 

[t.lamprecht]

pvesm set local-zfs --encryption-key autogen

Oh, overlooked the local-zfs part. This obviously won't work for a ZFS, it only works for a Proxmox Backup Server storage entry.

 

[ntimo]

Oh, overlooked the local-zfs part. This obviously won't work for a ZFS, it only works for a Proxmox Backup Server storage entry.

Ahh thanks, I now did the same thing for my backup server storage entry and the command worked. I did now created a lxc container backup (of a container that has not been previously been backuped) and when taking a lock at the pbs it shows up as not being encrypted and the XPAR File browser also works, downloaded files are also in clear text.

 

[ntimo]

And on another note. Where is this backup key stored? So that I can back it up securely? So I don't loose access to the backups.
Also the docs https://pve.proxmox.com/pve-docs/pvesm.1.html do not mention the --encryption-key autogen parameter

 

[fabian]

the published docs are only updated every so often (usually at point releases). your local installation ships a uptodate copy - available via the 'Documentation' and various 'Help' buttons in the GUI the keys are stored next to the passwords in /etc/pve/priv/storage

 

[ntimo]

the published docs are only updated every so often (usually at point releases). your local installation ships a uptodate copy - available via the 'Documentation' and various 'Help' buttons in the GUI the keys are stored next to the passwords in /etc/pve/priv/storage

Thanks for the hint that helped a lot. I just checked but the path /etc/pve/priv/<STORAGE-ID>.enc does not exist on my home lab server. Do I need to do anything special to generate this key? If I understand the docs correctly it should autogenerate it self.

 

[wbumiller]

Hi,

you can create a autogenerated key for a storage using:
pvesm set <storage-id> --encryption-key autogen if you use a recent enough libpve-storage-perl package (>= 6.2-3).
Container backed up to this storage should be then encrypted by default, VMs too but, IIRC, there maybe something missing.

We'll work on integrating the encryption support better and more obvious into Proxmox VE.

the current packages don't handle the `--encryption-key` CLI parameter on pvesm correctly, the file has to be manually created via
`proxmox-backup-client key create --kdf=none /etc/pve/priv/storage/STORAGENAME.enc`

 

[ntimo]

the current packages don't handle the `--encryption-key` CLI parameter on pvesm correctly, the file has to be manually created via
`proxmox-backup-client key create --kdf=none /etc/pve/priv/storage/STORAGENAME.enc`

Thanks, I have now created the file manually. But when I now do backups the backups still show up as not being encrypted in the Proxmox Backup Server.

My storage.cfg section for pbs on my pve host looks like this:

pbs: xxx
        datastore xxx
        server xxx
        content backup
        encryption-key autogen
        fingerprint xxx
        maxfiles 0
        username xxx

 

[t.lamprecht]

encryption-key autogen

Please drop that line manually, it came from the bug wolfgang mentioned.

 

[ntimo]

Okay, I have now dropped the line. So that my config looks like this (/etc/pve/storage.cfg):

pbs: xxx
        datastore xxx
        server xxx
        content backup
        fingerprint xxx
        maxfiles 0
        username xxx

but backups are still not being encrypted (backups are triggered using the ui with a backup schedule). What am I doing wrong here? :O Or should encryption-key inside of the config maye point to the keys location like this: encryption-key /etc/pve/priv/storage/STORAGENAME.enc

 

[t.lamprecht]

Or should encryption-key inside of the config maye point to the keys location like this

no, it should be picked up automatically...

 

[ntimo]

no, it should be picked up automatically...

Okay, I have now for test reasons created a brand new LXC container that has never been backuped and created a backup of it. In the storage.cfg I have removed the line as requested. But again the backup is not encrypted. And the log also doesn't mention any encryption being done.

Backup log:

INFO: starting new backup job: vzdump 111 --storage xxx --mailnotification always --quiet 1 --mode snapshot --all 0 --compress zstd --node pve01
INFO: Starting Backup of VM 111 (lxc)
INFO: Backup started at 2020-07-14 15:04:29
INFO: status = running
INFO: CT Name: testtest3
INFO: including mount point rootfs ('/') in backup
INFO: backup mode: snapshot
INFO: ionice priority: 7
INFO: create storage snapshot 'vzdump'
INFO: creating Proxmox Backup Server archive 'ct/111/2020-07-14T13:04:29Z'
INFO: run: lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- /usr/bin/proxmox-backup-client backup --crypt-mode=none pct.conf:/var/tmp/vzdumptmp30554/etc/vzdump/pct.conf root.pxar:/mnt/vzsnap0 --include-dev /mnt/vzsnap0/./ --skip-lost-and-found --backup-type ct --backup-id 111 --backup-time 1594731869 --repository xxx@pbs@xxx:xxx
INFO: Starting backup: ct/111/2020-07-14T13:04:29Z
INFO: Client name: pve01
INFO: Starting protocol: 2020-07-14T15:04:30+02:00
INFO: Upload config file '/var/tmp/vzdumptmp30554/etc/vzdump/pct.conf' to 'BackupRepository { user: Some("xxx@pbs"), host: Some("xxx"), store: "xxx" }' as pct.conf.blob
INFO: Upload directory '/mnt/vzsnap0' to 'BackupRepository { user: Some("xxx@pbs"), host: Some("xxx"), store: "xxx" }' as root.pxar.didx
INFO: root.pxar.didx: Uploaded 634355558 bytes as 183 chunks in 55 seconds (10 MB/s).
INFO: root.pxar.didx: Average chunk size was 3466423 bytes.
INFO: root.pxar.didx: Time per request: 301161 microseconds.
INFO: catalog.pcat1.didx: Uploaded 434085 bytes as 1 chunks in 55 seconds (0 MB/s).
INFO: catalog.pcat1.didx: Average chunk size was 434085 bytes.
INFO: catalog.pcat1.didx: Time per request: 55235718 microseconds.
INFO: Upload index.json to 'BackupRepository { user: Some("xxx@pbs"), host: Some("xxx"), store: "xxx" }'
INFO: Duration: PT55.452689562S
INFO: End Time: 2020-07-14T15:05:25+02:00
INFO: remove vzdump snapshot
INFO: Finished Backup of VM 111 (00:00:56)
INFO: Backup finished at 2020-07-14 15:05:25
INFO: Backup job finished successfully
TASK OK

 

[ntimo]

After installing updates today morning backups are now encrypted. I just started a backup of all my virtual machines. But for some of my virtual machines which I used to test the encrypted backup the entire backup was reuploded? Even tough the virtual machine in question is running. So I thought it would use the dirty map incremental backup feature?

 

[fabian]

After installing updates today morning backups are now encrypted. I just started a backup of all my virtual machines. But for some of my virtual machines which I used to test the encrypted backup the entire backup was reuploded? Even tough the virtual machine in question is running. So I thought it would use the dirty map incremental backup feature?

yes, but encrypted chunks have their own namespace (derived from the key), so they can't re-use chunks that were previously uploaded in plaintext.

 

[ntimo]

Ahh okay thanks, I will wait until all of my virtual machines have finished backing up. And then do another run to check that