Proxmox Backup Server 4.0 released!

[Sam06]

Encryption on storage and encryption in PBS are completely different things. For example on storage Level ( like zfs) you need support by the storage ( zfs encryption or linux dm-crypt) while encrypted backups to PBS don't need a specific filesystem to work.

See also: https://forum.proxmox.com/threads/proxmox-deduplication.140304/post-799715


The key for PBS backups is on the ProxmoxVE Server, you will need to save it somewhere else to be able to restore your backups. For that reason it's a good idea to backup everything in /etc/pve outside of PBS.

Thanks for your reply, I understand the part about disk drive and PBS both are not working on the same layer.

I enabled encryption on PVE for PBS Backups yesterday but I still don't know on which layer the encryption is done and with which protocol. For now my last backup is encrypted (cf: pic) but only the diff is encrypted (only half of the previous backup has been reused). The fact that I don't want my file to be unencrypted.

 

[t.lamprecht]

I enabled encryption on PVE for PBS Backups yesterday but I still don't know on which layer the encryption is done and with which protocol. For now my last backup is encrypted (cf: pic) but only the diff is encrypted (only half of the previous backup has been reused). The fact that I don't want my file to be unencrypted.

Encryption happens on the client side, and PBS always does a full backup, not differential backups, the re-use of existing data happens through a content addressable storage, not some diffing.
So, due to changing from unencrypted to (client-side) encryption all data effectively changes, and thus the first backup is already fully encrypted even if there still exist older backup snapshots without encryption.

To then only have encrypted backups left-over you can simply prune all older unencrypted ones. But I'd strongly recommend doing a restore test before to ensure that everything actually works. Ideally do this through temporarily adding the same PBS as new storage in the PVE system, as with that you will have to test the process of restoring the client-side encryption key too.