Sync Jobs & Encryption

P

pietroaretino

Well-Known Member
Nov 15, 2019
37
6
48
40
Question about how a sync job handles encryption.

Scenario:
A) PVE1 executes encrypted backups to PBS1
B) PBS2 runs a sync job (pull) from PBS1
C) PVE1 wants to restore from a backup located on PBS2
But now PVE1 receives a "wrong key - unable to verify signature since manifest's key does not match provided key"

Whose encryption key is being used?
Would you need to utilize the key used between PVE1 and PBS1 to restore from PBS2?
 
pietroaretino said:
Whose encryption key is being used?
Would you need to utilize the key used between PVE1 and PBS1 to restore from PBS2?
Click to expand...
The key used for encryption must also be used for decryption. So to restore the encrypted contents from PBS2 as well as from PBS1, both will need to use the same keys.
 
Chris said:
The key used for encryption must also be used for decryption. So to restore the encrypted contents from PBS2 as well as from PBS1, both will need to use the same keys.
Click to expand...
Thank you Chris for your response. So in this scenario inside of /etc/pve/priv/storage/ I have the files:
-pbs1.enc
-pbs1.pw
-pbs2.enc
-pbs2.pw

Therefore if I understand this correctly I could just run the command:
Code: 
cat pbs1.enc > pbs2.enc
Of course I will make a backup before I touch anything.

EDIT

Ok so after re-reading the documentation I see now that the actual encryption key configuration for storage is saved in /etc/pve/storage.cfg

I see the entries for PBS1 and PBS2.

Code: 
pbs1: pbs1
        datastore BU1
        server 192.168.1.1
        content backup
        encryption-key KEY1
        fingerprint FINGERPRINT1
        prune-backups keep-all=1
        username root@pam

pbs: pbs2
        datastore BU2
        server 192.168.1.2
        content backup
        encryption-key KEY2
        fingerprint FINGERPRINT2
        prune-backups keep-all=1
        username root@pam

So I am assuming I take the encryption key used for PBS1 and use it also for PBS2.
I.E. KEY2 is replaced by KEY1.
How about the fingerprints though, does FINGERPRINT2 need to also be replaced with FINGERPRINT1? I'm assuming no as those are simply to identify the correct PBS server, right?

Afterwhich, will a complete server reboot be required or are there just certain services I need to restart?
I am taking a guess I will need to restart the
Code: 
pve-cluster.service
and restart
Code: 
pvesm.service
should that suffice?

Thanks again.
 
Last edited:
Onslow said:
FWIW, shouldn't it be
Code: 
pbs: pbs1
etc...
(without 1 on the left side of : )?
Probably a typo...
Click to expand...
Yes, sorry I simply did a find and replace to sanitize the name of my actual servers. But you are correct.
However I discovered how to fix this problem if anyone encounters the same issue.
Firstly and hopefully one has their key backups! Which I did.
  1. On your PVE simply go to to
  2. Datacenter -> Storage
  3. Find your PBS that is using the wrong key, select it and click edit
  4. Go to Encryption --> Edit existing encryption key (dangerous!)
  5. Upload your PBS1 encryption key. Save.
Doesn't seem a restart of any services was required. After that I was able to now access my backups stored on my PBS2 server which syncs from my PBS1 server.
 
Last edited:
  • Like
Reactions: Onslow
You must log in or register to reply here.
Top Bottom