[SOLVED] Share encryption key between two PBS?

S

Samoritano

Member
Jun 20, 2019
7
0
6
45
Hi.

I've been using PBS as a backup service of my PVE servers and it's really great. After the OVH disaster I decided to set up another server for syncing my main PBS backups. That's my current stack:

PVE1 -> PVE Server (Cluster mode)
PVE2 -> PVE Server (Cluster mode)
PBS1-> PBS Main Server (All CT backups go to this PBS Server)
PBS2-> PBS Sync Server (I have a PBS sync job for copying all stored in PBS1)

Everything works pretty smooth so far, but I tried to restore a CT backup from PBS2 into PVE2, and I got this message.

Code: 
Error: missing key - manifest was created with key b1:f7:ef:44:xx:xx:xx:xx
(this is the PVE1 encrypt key, since this container is stored in this server).

But if I try to restore the CT from PBS1, I can restore and decrypt the backup, so I guess I'm missing something about encrypt keys.

Are the keys unique for every client or can be shared between clients?
How is that the same client can restore from PBS1 but not from PBS2, despite the encryption key used for the backup is the same one?
Do I have to share encryption keys between both PBS?
Or do I have to set PBS2 server with PBS1 encryption key, since it just stores backups that where made in PBS1 server?

Any help would be much appreciated.

Thx.
 
Hey,

the encryption key is generated when you add the PBS to your PVE. After adding the PBS you should be asked if you want to download or save the key somewhere, you'll get a file ending with .enc this file contains a simple JSON that represents the key. This key is used to encrypt everything that is backed up from this PVE, so in order to restore a backup that was taken from PVE1 you need the key that was used for encryption. This key can be saved after you added the PBS, if you didn't save it then it is also available in /etc/pve/priv/storage. This key is what PVE2 needs in order to make sense of the data saved on PBS2, so when you add PBS2 to PVE2 you have to upload the key from PVE1 in the encryption tab. If you use the CLI tool proxmox-backup-client restore, you have to use the --keyfile parameter to tell the binary what key to use for decryption.
If you encounter any other problem feel free to just post here and for details, you can take a look at [1].

[1] https://pbs.proxmox.com/docs/backup-client.html#encryption
 
  • Like
Reactions: BruceX and nitrosont
Hi, Hannes.

Ok, now I understand the problem.

I use to create and restore all my backups with pct restore command, not with proxmox-backup-client restore, so I can't use the --keyfile parameter.

Anyway, after your explanation I just copied the PBS1 .enc file and associated it with the PBS2 storage name, and now I can restore the backup with the pct restore command, and PVE and PBS did their magic under the hood.

So you just made my day :)

Thank you very much for the concise explanation!
 
Hannes Laimer said:
Hey,

the encryption key is generated when you add the PBS to your PVE. After adding the PBS you should be asked if you want to download or save the key somewhere, you'll get a file ending with .enc this file contains a simple JSON that represents the key. This key is used to encrypt everything that is backed up from this PVE, so in order to restore a backup that was taken from PVE1 you need the key that was used for encryption. This key can be saved after you added the PBS, if you didn't save it then it is also available in /etc/pve/priv/storage. This key is what PVE2 needs in order to make sense of the data saved on PBS2, so when you add PBS2 to PVE2 you have to upload the key from PVE1 in the encryption tab. If you use the CLI tool proxmox-backup-client restore, you have to use the --keyfile parameter to tell the binary what key to use for decryption.
If you encounter any other problem feel free to just post here and for details, you can take a look at [1].

[1] https://pbs.proxmox.com/docs/backup-client.html#encryption
Click to expand...
Brilliant, this worked. I don't see any reference to the .enc file in [1] or anywhere else for that matter. I'd cut and paste this directly into reference [1] including how to import/assign/use it via the cli if possible and not just the gui.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom