[SOLVED] Questions regarding encryption

kpwn

New Member
Jun 8, 2021
18
0
1
27
Hi,
i got 2 questions to properly secure my data. The setup is one server running PVE an another server running PBS. All on premise. The VMs are stored on thin-provisioned LVMs that are encrypted using LUKS. The key is stored on a hardware token. I am really happy with that. Works great and offers high level of security against our main concern which is simple theft. If something gets stolen the disks cant be encrypted since the token requires a key and bricks itself after 3 failed attempts. The disk with proxmox itself on it is not encrypted.
  1. I enababled the backup encryption through the gui. It worked and created 2 files for each datastore of the PBS. one *.enc file and one *.pw file. According to the manual the *.enc file needs to be kept safe. I used the paperkey function and will keep the printout safe. However, the file is still on the PVE server (/etc/pve/priv/storage/<STORAGE-ID>). Can i safely shred it or is it required? What about the *.pw file?
  2. The feature to encrypt backups is done client side. The main purpose is usage with possibly untrusted PBS. I can trust my PBS so i do not require encryption for that reason. I need encryption incase the Disks or the entire PBS gets stolen. Can i somehow use a LUKS container or LVM OR thin-provisioned LVM as a datastore for PBS? If that is possible i can protect the data with the same method i use for PVE. I would prefer that as this solution is already working fine.
Thanks for all your help in advance.
 

Matthias.

Proxmox Staff Member
Staff member
Jan 17, 2022
159
40
28
re 1, the enc file is requried as it contains the key to encrypt the backup. without it, you can't create new encrypted backups, and you can't decrypt the existing backups
the .pw file contains the password for the pbs, without that the PBS can't be accessed anymore

re 2, sure, you can setup an encrypted partition/..., create a FS there, and add it as a datastore.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!