From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH docs] pbs: add information about master key support
Date: Tue, 22 Jun 2021 13:43:31 +0200 [thread overview]
Message-ID: <20210622114331.2708512-1-f.gruenbichler@proxmox.com> (raw)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
pve-storage-pbs.adoc | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/pve-storage-pbs.adoc b/pve-storage-pbs.adoc
index c22f5b3..a3d7da1 100644
--- a/pve-storage-pbs.adoc
+++ b/pve-storage-pbs.adoc
@@ -57,6 +57,13 @@ restricted to the root user. Use the magic value `autogen` to automatically
generate a new one using `proxmox-backup-client key create --kdf none <path>`.
Optional.
+master-pubkey::
+
+A public RSA key used to encrypt the backup encryption key as part of the
+backup task. The encrypted copy will be appended to the backup and stored on
+the Proxmox Backup Server instance for recovery purposes.
+Optional, requires `encryption-key`.
+
.Configuration Example (`/etc/pve/storage.cfg`)
----
pbs: backup
@@ -116,6 +123,18 @@ a text file, for easy printing.
# proxmox-backup-client key paperkey /etc/pve/priv/storage/<STORAGE-ID>.enc --output-format text > qrkey.txt
----
+Additionally, it is possible to use a single RSA master key pair for key
+recovery purposes: configure all clients doing encrypted backups to use a
+single public master key, and all subsequent encrypted backups will contain a
+RSA-encrypted copy of the used AES encryption key. The corresponding private
+master key allows recovering the AES key and decrypting the backup even if the
+client system is no longer available.
+
+WARNING: The same safe-keeping rules apply to the master key pair as to the
+regular encryption keys. Without a copy of the private key recovery is not
+possible! The `paperkey` command supports generating paper copies of private
+master keys for storage in a safe, physical location.
+
Because the encryption is managed on the client side, you can use the same
datastore on the server for unencrypted backups and encrypted backups, even
if they are encrypted with different keys. However, deduplication between
--
2.30.2
next reply other threads:[~2021-06-22 11:44 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-22 11:43 Fabian Grünbichler [this message]
2021-06-23 7:28 ` [pve-devel] applied: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210622114331.2708512-1-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox