From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id B6B2174BB5 for ; Tue, 22 Jun 2021 13:44:23 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 94E7526B89 for ; Tue, 22 Jun 2021 13:43:43 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 14AC126B7D for ; Tue, 22 Jun 2021 13:43:43 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id CF3C74356C for ; Tue, 22 Jun 2021 13:43:37 +0200 (CEST) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pve-devel@lists.proxmox.com Date: Tue, 22 Jun 2021 13:43:31 +0200 Message-Id: <20210622114331.2708512-1-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.667 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH docs] pbs: add information about master key support X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jun 2021 11:44:23 -0000 Signed-off-by: Fabian Grünbichler --- pve-storage-pbs.adoc | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/pve-storage-pbs.adoc b/pve-storage-pbs.adoc index c22f5b3..a3d7da1 100644 --- a/pve-storage-pbs.adoc +++ b/pve-storage-pbs.adoc @@ -57,6 +57,13 @@ restricted to the root user. Use the magic value `autogen` to automatically generate a new one using `proxmox-backup-client key create --kdf none `. Optional. +master-pubkey:: + +A public RSA key used to encrypt the backup encryption key as part of the +backup task. The encrypted copy will be appended to the backup and stored on +the Proxmox Backup Server instance for recovery purposes. +Optional, requires `encryption-key`. + .Configuration Example (`/etc/pve/storage.cfg`) ---- pbs: backup @@ -116,6 +123,18 @@ a text file, for easy printing. # proxmox-backup-client key paperkey /etc/pve/priv/storage/.enc --output-format text > qrkey.txt ---- +Additionally, it is possible to use a single RSA master key pair for key +recovery purposes: configure all clients doing encrypted backups to use a +single public master key, and all subsequent encrypted backups will contain a +RSA-encrypted copy of the used AES encryption key. The corresponding private +master key allows recovering the AES key and decrypting the backup even if the +client system is no longer available. + +WARNING: The same safe-keeping rules apply to the master key pair as to the +regular encryption keys. Without a copy of the private key recovery is not +possible! The `paperkey` command supports generating paper copies of private +master keys for storage in a safe, physical location. + Because the encryption is managed on the client side, you can use the same datastore on the server for unencrypted backups and encrypted backups, even if they are encrypted with different keys. However, deduplication between -- 2.30.2