[SOLVED] How to "isolate" PBS from PVE - security best practices ...

P

Petr Svacina

Well-Known Member
Oct 1, 2018
48
18
48
49
Hi I have a question:

How to best secure PBS backup ?

I can do lot of things, separated vLans for storage, firewall rules, but if someone hack the root of the PVE, which have a PBS mounted, so we have a problem.

Attacker can read storage.cfg and storage.pw and use it for the connection to PBS ...

Is there any way how to protect this scenario ?
 
Last edited:
you can give the PVE access token only access to read old backups and create new ones, but not remove/prune backups. you can combine this with a sync job on the PBS side to keep an offsite archive that is decoupled from the main PBS system (with separate pruning, verification and GC).
 
  • Like
Reactions: weehooey-bh and UdoB
You must log in or register to reply here.
Top Bottom