Making Sure Client-Side Encryption is Enabled

[SInisterPisces]

When I set up a backup task to push some VM and LXC backups to my test PBS server, I selected to enable client-side encryption. It made me acknowledge a warning and save a client-side encryption key.

Now, when I look at my PVE instance and the PBS server, neither of them show encryption is enabled for the backups in question. If I go to a VM and look at its Backup tab, it also says there is "No" encryption.

When I view Job Detail in Datacenter --> Backup, it doesn't say anything about whether the backup is encrypted, either way.
This seems … wrong? I'd understand the server not saying the backup is encrypted, as it's supposed to be encrypted before it leaves the PVE node, but shouldn't the PVE node or the PBS server acknowledge somewhere that the backups are encrypted?

Have I done something wrong?
Edit: Looks like it. I found the relevant docs here: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#storage_pbs
From those, the /etc/pve/storage.cfg entry for the PBS server should show an encryption key. Something like this:

pbs: backup
        datastore main
        server enya.proxmox.com
        content backup
        fingerprint 09:54:ef:..snip..:88:af:47:fe:4c:3b:cf:8b:26:88:0b:4e:3c:b2
        prune-backups keep-all=1
        username archiver@pbs
        encryption-key a9:ee:c8:02:13:..snip..:2d:53:2c:98
        master-pubkey 1

Mine does not. Fabulous. So, I need to start over, as there's no way to change that on an existing PBS storage.

PBS Datastore:


PVE Backup Job details:


Here's an example VM:

 

[UdoB]

So, I need to start over, as there's no way to change that on an existing PBS storage.

Correct, not for the existing backups already stored - as far as I understand.

But you can delete all of them and go to Datacenter --> Storage --> your PBS --> third page of the dialog = Encryption. It has Edit capabilities for the key including Delete/Create new and upload a key from your backup.

 

[SInisterPisces]

Correct, not for the existing backups already stored - as far as I understand.

But you can delete all of them and go to Datacenter --> Storage --> your PBS --> third page of the dialog = Encryption. It has Edit capabilities for the key including Delete/Create new and upload a key from your backup.

Thanks. I've enabled encryption on the PVE node now, and pruned all the unencrypted backups. They should be gone once garbage collection runs again, and then I'll start over. I was rushing a bit since I was testing, and need to more carefully configure things on the server side regarding authentication.

I'm a bit concerned that the unencrypted backups are still recoverable if someone has access to the server and can try to recover deleted data.
I wonder how complete the deletion is.

 

[l.leahu-vladucu]

Deleting backups simply deletes them from the filesystem, meaning that the filesystem no longer knows that the files exist. They may be overwritten anytime, but this obviously means that the data is not securely erased. If you have a hard requirement on securely erasing data, there are special tools for doing that. PBS does not allow doing that, and the special tools I was talking about would wipe the whole disk anyway, not just the backups.

 

[UdoB]

I'm a bit concerned that the unencrypted backups are still recoverable if someone has access to the server and can try to recover deleted data.

Well..., probably this is technically correct. But..., do you actually fear a targeted attack on this level? From my limited (and possibly wrong) point of view this is for untrustworthy state actors with a Three-Letter-Acronym.

Of course there are areas where my personal paranoia level is much higher than that of a common citizen.

Encrypting data is always a good idea. When it leaves the primary hosting site it is a must.

 

[SInisterPisces]

Encrypting data is always a good idea. When it leaves the primary hosting site it is a must.

Yeah. This was my test Tuxis offsite cloud PBS backup, so I really, really did not mean to send unencrypted backups.

I'm going to file an issue with @tuxis and see what they say. I suspect they don't really want recoverable deleted data on their servers any more than I want it there.

 

[SInisterPisces]

Hello,

I heard back from @tuxis re: data retention of pruned and GC'd backups. Sounds like everything gets fully deleted and nothing is retained, though I'm a bit nervous about putting words in their mouth. It'd be great if @tuxis could state that directly in this thread.

 

[tuxis]

The deletion is as complete as it gets. If PBS removes your data, it is removed from the underlying ZFS filesystem. We are not doing snapshots or replication to other machines.

 

[SInisterPisces]

The deletion is as complete as it gets. If PBS removes your data, it is removed from the underlying ZFS filesystem. We are not doing snapshots or replication to other machines.

Thanks for confirming this. My VM and LXCs shouldn't have sensitive information, but just in case, it's nice to know that pruning and GC clears them out completely.