all lists on lists.proxmox.com
 help / color / mirror / Atom feed
From: Fabian Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH docs] add encryption section for PBS
Date: Wed, 25 Nov 2020 15:53:33 +0100	[thread overview]
Message-ID: <20201125145333.31909-1-f.ebner@proxmox.com> (raw)

Some parts from the PBS docs where re-used.

Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
---
 pve-storage-pbs.adoc | 42 ++++++++++++++++++++++++++++++++++++++++++
 vzdump.adoc          |  5 +++++
 2 files changed, 47 insertions(+)

diff --git a/pve-storage-pbs.adoc b/pve-storage-pbs.adoc
index 9527237..1bb0721 100644
--- a/pve-storage-pbs.adoc
+++ b/pve-storage-pbs.adoc
@@ -82,6 +82,48 @@ container.
 |backup        |n/a           |yes    |n/a       |n/a
 |===============================================================
 
+[[storage_pbs_encryption]]
+Encryption
+~~~~~~~~~~
+
+Optionally, you can configure client-side encryption with AES-256 in GCM mode.
+Encryption can be configured either via the web interface, or on the CLI with
+the `encryption-key` option (see above). The key will be saved in the file
+`/etc/pve/priv/storage/<STORAGE-ID>.enc`, which is only accessible by the root
+user.
+
+WARNING: Without their key, backups will be inaccessible. Thus, you should
+keep keys ordered and in a place that is separate from the contents being
+backed up. It can happen, for example, that you back up an entire system, using
+a key on that system. If the system then becomes inaccessible for any reason
+and needs to be restored, this will not be possible as the encryption key will be
+lost along with the broken system.
+
+It is recommended that you keep your keys safe, but easily accessible, in
+order for quick disaster recovery. For this reason, the best place to store it
+is in your password manager, where it is immediately recoverable. As a backup to
+this, you should also save the key to a USB drive and store that in a secure
+place. This way, it is detached from any system, but is still easy to recover
+from, in case of emergency. Finally, in preparation for the worst case scenario,
+you should also consider keeping a paper copy of your master key locked away in
+a safe place. The `paperkey` subcommand can be used to create a QR encoded
+version of your master key. The following command sends the output of the
+`paperkey` command to a text file, for easy printing.
+
+----
+# proxmox-backup-client key paperkey --output-format text > qrkey.txt
+----
+
+Because the encryption is managed on the client side, you can use the same
+datastore on the server for unencrypted backups and encrypted backups, even
+if they are encrypted with different keys. However, deduplication between
+backups with different keys is not possible, so it is often better to create
+separate datastores.
+
+NOTE: Do not use encryption if there is no benefit from it, for example, when
+you are running the server locally in a trusted network. It is always easier to
+recover from unencrypted backups.
+
 Examples
 ~~~~~~~~
 
diff --git a/vzdump.adoc b/vzdump.adoc
index 3c67b88..9453684 100644
--- a/vzdump.adoc
+++ b/vzdump.adoc
@@ -179,6 +179,11 @@ compression algorithm has been used to create the backup.
 If the backup file name doesn't end with one of the above file extensions, then
 it was not compressed by vzdump.
 
+Backup Encryption
+-----------------
+
+For Proxmox Backup Server storages, you can optionally set up client-side
+encryption of backups, see xref:storage_pbs_encryption[the corresponding section.]
 
 [[vzdump_retention]]
 Backup Retention
-- 
2.20.1





             reply	other threads:[~2020-11-25 14:54 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-25 14:53 Fabian Ebner [this message]
2020-11-25 15:10 ` [pve-devel] applied: " Thomas Lamprecht

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201125145333.31909-1-f.ebner@proxmox.com \
    --to=f.ebner@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal