How to do encrypted backups

[ntimo]

I just created a backup of another vm and for some reason this backups is not encrypted while the previous backups where here is the log:

Do you have a clue why this backup has not been encrypted? I would guess that the backups should be encrypted since it mentions INFO: enabling encryption in the log. But when viewing the backup in the Proxmox Backup Server log it says encrypted: NO.

INFO: Backup started at 2020-07-15 13:35:04
INFO: status = running
INFO: VM Name: xxx
INFO: include disk 'scsi0' 'local:102/vm-102-disk-0.qcow2' 50G
INFO: backup mode: snapshot
INFO: ionice priority: 7
INFO: creating Proxmox Backup Server archive 'vm/102/2020-07-15T11:35:04Z'
INFO: issuing guest-agent 'fs-freeze' command
INFO: enabling encryption
INFO: issuing guest-agent 'fs-thaw' command
INFO: started backup task '0e2473be-5f03-405b-899c-68a594d05ca6'
INFO: resuming VM again
INFO: status: 0% (408.0 MiB of 50.0 GiB), duration 3, read: 136.0 MiB/s, write: 136.0 MiB/s
INFO: status: 100% (50.0 GiB of 50.0 GiB), duration 7753, read: 48.4 MiB/s, write: 48.4 MiB/s
INFO: backup was done incrementally, reused 13.10 GiB (26%)
INFO: transferred 50.00 GiB in 7753 seconds (6.6 MiB/s)
INFO: Finished Backup of VM 102 (02:09:13)
INFO: Backup finished at 2020-07-15 15:44:17
INFO: Backup job finished successfully
TASK OK

 

[derf]

I can confirm, same bug occur at least one time...

But non-reproducible at this moment to fill a bug report.

 

[fabian]

can you try downloading the VM config file from such a backup? does it work or display an error?

 

[derf]

I've confirmed when it's occured, qemuserver.conf is viewable at BPS side, and "show configuration" in VM backup display VM config at PVE side.

Question: Encryption is heavilly in development, or it's in a "stable/beta" state at this time ?

 

[t.lamprecht]

Question: Encryption is heavilly in development, or it's in a "stable/beta" state at this time ?

The whole Proxmox Backup Server is considered beta currently. But, encryption on the PBS side is not heavily in development.
Most of the issues here were from the integration into Proxmox VE, and often it was caused by older package versions (we only moved most relevant stuff to the enterprise repository yesterday).

There are certainly some integration issues to fix or improve, but, the underlying stack at the PBS side is seen as rather stable than unstable.

 

[derf]

Thank's for your reply, I wait for an update before to do another tests.

Without encryption, that's work very well !

 

[tuxis]

After doing an encrypted backup, when I try to restore I get:
proxmox-backup-client failed: Error: wrong signature in manifest (500)

PBS confirms that encryption is 'mixed', but the disk and config are encrypted.

Am I doing it wrong?

 

[derf]

See https://forum.proxmox.com/threads/restore-vm-encrypted-doesnt-work.72961/

 

[koshak]

can you try downloading the VM config file from such a backup? does it work or display an error?

have found that VM, which was backed up before I copied generated key to /etc/pve/priv/ keep unencrypted state for later backups,
was trying to delete old backups - nothing changed

 

[fabian]

have found that VM, which was backed up before I copied generated key to /etc/pve/priv/ keep unencrypted state for later backups,
was trying to delete old backups - nothing changed

View attachment 18775

I am not sure whether I parse your message correctly, but maybe you are hitting https://bugzilla.proxmox.com/show_bug.cgi?id=2866 ?

 

[koshak]

I am not sure whether I parse your message correctly, but maybe you are hitting https://bugzilla.proxmox.com/show_bug.cgi?id=2866 ?

Looks very similar, thanks, will wait for an update.

 

[koshak]

still not fixed
today I have made a fresh PBS install, added datastore(with encryption key) to PVE, and found that backup of old VM(which was previously backed up to another unencrypted pbs datastore) is unencrypted, while new VM(no previous backup) backup is encrypted

 

[fabian]

please post the output of pveversion -v on the PVE host..

 

[koshak]

please post the output of pveversion -v on the PVE host..

root@pve:~# pveversion -v
proxmox-ve: 6.2-1 (running kernel: 5.4.44-2-pve)
pve-manager: 6.2-11 (running version: 6.2-11/22fb4983)
pve-kernel-5.4: 6.2-6
pve-kernel-helper: 6.2-6
pve-kernel-5.3: 6.1-6
pve-kernel-5.4.60-1-pve: 5.4.60-2
pve-kernel-5.4.44-2-pve: 5.4.44-2
pve-kernel-5.4.41-1-pve: 5.4.41-1
pve-kernel-5.3.18-3-pve: 5.3.18-3
ceph-fuse: 12.2.11+dfsg1-2.1+b1
corosync: 3.0.4-pve1
criu: 3.11-3
glusterfs-client: 5.5-3
ifupdown: 0.8.35+pve1
libjs-extjs: 6.0.1-10
libknet1: 1.16-pve1
libproxmox-acme-perl: 1.0.5
libpve-access-control: 6.1-2
libpve-apiclient-perl: 3.0-3
libpve-common-perl: 6.2-2
libpve-guest-common-perl: 3.1-3
libpve-http-server-perl: 3.0-6
libpve-storage-perl: 6.2-6
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve4
lxc-pve: 4.0.3-1
lxcfs: 4.0.3-pve3
novnc-pve: 1.1.0-1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.2-12
pve-cluster: 6.1-8
pve-container: 3.2-1
pve-docs: 6.2-5
pve-edk2-firmware: 2.20200531-1
pve-firewall: 4.1-2
pve-firmware: 3.1-3
pve-ha-manager: 3.1-1
pve-i18n: 2.2-1
pve-qemu-kvm: 5.1.0-1
pve-xtermjs: 4.7.0-2
qemu-server: 6.2-14
smartmontools: 7.1-pve2
spiceterm: 3.1-1
vncterm: 1.6-2
zfsutils-linux: 0.8.4-pve1

 

[fabian]

did you actually start the existing VM fresh? otherwise it won't load the new backup library version, and still use the old behaviour..

 

[koshak]

did you actually start the existing VM fresh? otherwise it won't load the new backup library version, and still use the old behaviour..

hmmm, its solved the problem on my home server, will check another server tomorrow, thank you

 

[koshak]

have checked another host, and yes, all fresh backups are encrypted now, thank you!

 

[papete]

Ahh okay thanks, I will wait until all of my virtual machines have finished backing up. And then do another run to check that

Hello ntimo, then as a summary you could put the steps that worked for you to encrypt the backup copies (VM). Thank you