* [pve-devel] [PATCH docs] pbs: add information about master key support
@ 2021-06-22 11:43 Fabian Grünbichler
2021-06-23 7:28 ` [pve-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Fabian Grünbichler @ 2021-06-22 11:43 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
pve-storage-pbs.adoc | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/pve-storage-pbs.adoc b/pve-storage-pbs.adoc
index c22f5b3..a3d7da1 100644
--- a/pve-storage-pbs.adoc
+++ b/pve-storage-pbs.adoc
@@ -57,6 +57,13 @@ restricted to the root user. Use the magic value `autogen` to automatically
generate a new one using `proxmox-backup-client key create --kdf none <path>`.
Optional.
+master-pubkey::
+
+A public RSA key used to encrypt the backup encryption key as part of the
+backup task. The encrypted copy will be appended to the backup and stored on
+the Proxmox Backup Server instance for recovery purposes.
+Optional, requires `encryption-key`.
+
.Configuration Example (`/etc/pve/storage.cfg`)
----
pbs: backup
@@ -116,6 +123,18 @@ a text file, for easy printing.
# proxmox-backup-client key paperkey /etc/pve/priv/storage/<STORAGE-ID>.enc --output-format text > qrkey.txt
----
+Additionally, it is possible to use a single RSA master key pair for key
+recovery purposes: configure all clients doing encrypted backups to use a
+single public master key, and all subsequent encrypted backups will contain a
+RSA-encrypted copy of the used AES encryption key. The corresponding private
+master key allows recovering the AES key and decrypting the backup even if the
+client system is no longer available.
+
+WARNING: The same safe-keeping rules apply to the master key pair as to the
+regular encryption keys. Without a copy of the private key recovery is not
+possible! The `paperkey` command supports generating paper copies of private
+master keys for storage in a safe, physical location.
+
Because the encryption is managed on the client side, you can use the same
datastore on the server for unencrypted backups and encrypted backups, even
if they are encrypted with different keys. However, deduplication between
--
2.30.2
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pve-devel] applied: [PATCH docs] pbs: add information about master key support
2021-06-22 11:43 [pve-devel] [PATCH docs] pbs: add information about master key support Fabian Grünbichler
@ 2021-06-23 7:28 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2021-06-23 7:28 UTC (permalink / raw)
To: Proxmox VE development discussion, Fabian Grünbichler
On 22.06.21 13:43, Fabian Grünbichler wrote:
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
> pve-storage-pbs.adoc | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
>
applied, thanks!
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-06-23 7:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-22 11:43 [pve-devel] [PATCH docs] pbs: add information about master key support Fabian Grünbichler
2021-06-23 7:28 ` [pve-devel] applied: " Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox