Questions about encryption

K

Kaboom

Well-Known Member
Proxmox Subscriber
Mar 5, 2019
120
11
58
53
Dear all,

I made my backups encrypted with the option "Auto-generate a client encryption key, saved privately on cluster filesystem". But how can I browse this folder on the Proxmox backupserver?

And if I want to restore this backup to another node (not the node where the backup came from) is this possible, or do I need a key then?

Maybe someone can tell me something more about safely store these keys.

Thanks!
 
Kaboom said:
Dear all,

I made my backups encrypted with the option "Auto-generate a client encryption key, saved privately on cluster filesystem". But how can I browse this folder on the Proxmox backupserver?
Click to expand...

you can't, since you need the key and that is not available on the server side. you can browse it using the client (mount/catalog shell for pxar, map + regular linux tools for block device backups).

Kaboom said:
And if I want to restore this backup to another node (not the node where the backup came from) is this possible, or do I need a key then?
Click to expand...

you need the key

Kaboom said:
Maybe someone can tell me something more about safely store these keys.
Click to expand...

There are a few ways (it might be a good idea to use more than one ;))
  • if you have a lot of clients: generate (once) and import a master key (at each client), and apply the below points to the master key
  • store the keyfile's contents in your password manager/HSM/...
  • store the keyfile on some trusted/encrypted system other than where the backup client runs
  • use the paperkey command to create a printable version of the keyfile, print it, and put it in your safe/firebox/bank vault/...
if you import a master key, the client will encrypt the encryption key using this master key, and put that encrypted copy into the backup itself. more info in the docs: https://pbs.proxmox.com/docs/backup...ster-key-to-store-and-recover-encryption-keys
 
  • Like
Reactions: Kaboom
Thanks Fabian, but I don't understand the part how I can browse the backup on the node (stored on the Proxmox backup server). Can you explain this a littlebit more?
 
proxmox-backup-client catalog shell or proxmox-backup-client mount for container backups, proxmox-backup-client map for VM backups. this part will get more integrated into PVE in the future.
 
  • Like
Reactions: Kaboom
I can create and restore backups threw the GUI now, everything encrypted.

On the Node where all my containers are running I run: 'proxmox-backup-client snapshots' and gives me a lists of all backups on the PBS.

Then I want to mount this backup: proxmox-backup-client mount ct/203/2020-12-01T03:08:50Z root.pxar /mnt/mountpoint
But I get this error: Error: missing key - manifest was created with key xx:xx:xx:xx:xx:xx:xx

I created all the keys automatically threw the GUI when creating a new storage.

What do I do wrong?
 
you need to pass the keyfile (the PVE generated ones are in /etc/pve/priv/storage/*.enc, but hopefully you DO have a backup copy of those somewhere? ;))
 
There are 2 files in the storage dir: xxx.enc en xxx.pw. I made backups during the setup of the storage.

Sorry but I don't know how to pass the keyfile.
 
add --keyfile /path/to/storage.enc to the command
 
  • Like
Reactions: Kaboom
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom