Restoring encrypted backup outside the cluster

Tacioandrade

Renowned Member
Sep 14, 2012
121
17
83
Vitória da Conquista, Brazil
Friends good night! I am testing PBS in parallel with the full backup of some VMs and now with the option of incremental backup I can deploy something that I would like to do for a long time.

My client has some local Proxmox and 2 PVEs in the OVH cloud, my goal is to use PBS to, in case of a need for greater demand than the local network can support, increase the backup of some instances in OVH.

For this I installed the local PBS and PBS on OVH and replicated the data, which worked perfectly, however how PBS saves the data on an OVH NFS storage I had to safely encrypt the backups.

During a VM restore test, it gives an error, stating that it apparently does not have the encryption key.

Error: wrong signature in manifest
TASK ERROR: command '/usr/bin/proxmox-backup-client restore '--crypt-mode=encrypt' '--keyfd=13' vm/599/2020-10-23T05:48:47Z index.json /var/tmp/vzdumptmp5187/index.json --repository root@pam@54.x.x.x:backupvms' failed: exit code 255

My question is simple, is there any way to import the encryption key used by local PVEs into PVEs in the cloud? Another option I would like to know if it is valid is if you could place the same key on both sides, making replication possible in both directions.

Thank you in advance for your help.
 
  • Like
Reactions: greavette
if you auto-generated the key on the PVE side, then it is stored in /etc/pve/priv/storage/STORAGEID.enc . you can also use 'pvesm' to put a key there. I'd make backups of all existing keys before starting to play around, otherwise you might accidentally overwrite the only existing copy of a backup key, which would make the corresponding backups unreadable.
 
  • Like
Reactions: Tacioandrade
if you auto-generated the key on the PVE side, then it is stored in /etc/pve/priv/storage/STORAGEID.enc . you can also use 'pvesm' to put a key there. I'd make backups of all existing keys before starting to play around, otherwise you might accidentally overwrite the only existing copy of a backup key, which would make the corresponding backups unreadable.
My goal is to start backups from scratch, copy the key from one of the Proxmox nodes and throw it in the other cluster.

Regarding pvesm, I never used it, would you have any recommended material to do this? I saw that everything in /etc/pve is mounted in fuse, I never had any experience with it, so I would like to ask for help on that point.
 
man pvesm gives some pointers. if you want to start from scratch, then you can just copy the key file from one PVE node's /etc/pve/priv/storage/ to another node's. if the storage IDs are not identical, you need to adapt the file name accordingly.

I suggest making a backup of the key in any case!
 
  • Like
Reactions: Tacioandrade
@fabian Could you give an advice?
I have 2 PVE clusters (test and prod) w identical naming PBS (1 PBS connected to test and prod). When I tried restore VM from prod to test cluster I got an error. So, how to configure encryption key to restore VM in test and prod clusters?
Does it mean, that I should copy ecryption key from prod cluster nodes to test cluster nodes?
 
Last edited:
when restoring, you need the encryption key used when backing up. whether you share the key, or configure a separate storage with each key is up to you.
 
Good afternoon friends! I had tried to copy the json from the /etc/pve/priv/storage/pbs06.enc file manually to the other PBS, but it didn't work properly, I went to check the md5 hash of it and saw that it was different, probably some space or something like that .

After I sent to the destination server via scp, I managed to make it work!

Taking advantage of the day today to do some backup / restore tests to see if it works well, thank you!
 
@fabian Could you give an advice?
I have 2 PVE clusters (test and prod) w identical naming PBS (1 PBS connected to test and prod). When I tried restore VM from prod to test cluster I got an error. So, how to configure encryption key to restore VM in test and prod clusters?
Does it mean, that I should copy ecryption key from prod cluster nodes to test cluster nodes?
Here for me I had to do the following step by step:

1 - In PBS remove all backups that I had previously generated, to get rid of backups with different encryption keys
2 - Recreate the datastore
3 - Copy via scp the file /etc/pve/priv/storage/pbs06.enc from the local host to the host in the cloud (you will have to do it from host to host if you work in a cluster), because you copy and paste the contents of the .json it didn't work because it wasn't the same md5 hash, since I must have missed some space or something
4 - I ran the backup again
5 - I forced a restore of the backup made locally on the cloud instance.

Even the error I had given earlier was:

Code:
Error: trailing characters at line 1 column 144
TASK ERROR: command '/usr/bin/proxmox-backup-client restore '--crypt-mode=encrypt' '--keyfd=13' vm/101/2020-11-01T07:33:56Z index.json /var/tmp/vzdumptmp16951/index.json --repository root@pam@x.x.x.230:backupvms' failed: exit code 255

I am currently performing the restore of the VM and it is already at 60%
 
  • Like
Reactions: lDemoNl
Hi, solution is:
1. connect PBS to newly PVE, in setting put checkbox "Auto-generate a client encryption key, saved privately on cluster filesystem"
2.after connect replace files from first PVE to second PVE, and give same name from ID field,your files need to have same name as ID, when you add PBS to your datastore
3. try to restore VM to another PVE to newly PVE
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!