mirror of
https://git.proxmox.com/git/pve-docs
synced 2025-04-30 22:47:23 +00:00
pbs: add information about master key support
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
parent
b455993f50
commit
8200df48fb
@ -57,6 +57,13 @@ restricted to the root user. Use the magic value `autogen` to automatically
|
|||||||
generate a new one using `proxmox-backup-client key create --kdf none <path>`.
|
generate a new one using `proxmox-backup-client key create --kdf none <path>`.
|
||||||
Optional.
|
Optional.
|
||||||
|
|
||||||
|
master-pubkey::
|
||||||
|
|
||||||
|
A public RSA key used to encrypt the backup encryption key as part of the
|
||||||
|
backup task. The encrypted copy will be appended to the backup and stored on
|
||||||
|
the Proxmox Backup Server instance for recovery purposes.
|
||||||
|
Optional, requires `encryption-key`.
|
||||||
|
|
||||||
.Configuration Example (`/etc/pve/storage.cfg`)
|
.Configuration Example (`/etc/pve/storage.cfg`)
|
||||||
----
|
----
|
||||||
pbs: backup
|
pbs: backup
|
||||||
@ -116,6 +123,18 @@ a text file, for easy printing.
|
|||||||
# proxmox-backup-client key paperkey /etc/pve/priv/storage/<STORAGE-ID>.enc --output-format text > qrkey.txt
|
# proxmox-backup-client key paperkey /etc/pve/priv/storage/<STORAGE-ID>.enc --output-format text > qrkey.txt
|
||||||
----
|
----
|
||||||
|
|
||||||
|
Additionally, it is possible to use a single RSA master key pair for key
|
||||||
|
recovery purposes: configure all clients doing encrypted backups to use a
|
||||||
|
single public master key, and all subsequent encrypted backups will contain a
|
||||||
|
RSA-encrypted copy of the used AES encryption key. The corresponding private
|
||||||
|
master key allows recovering the AES key and decrypting the backup even if the
|
||||||
|
client system is no longer available.
|
||||||
|
|
||||||
|
WARNING: The same safe-keeping rules apply to the master key pair as to the
|
||||||
|
regular encryption keys. Without a copy of the private key recovery is not
|
||||||
|
possible! The `paperkey` command supports generating paper copies of private
|
||||||
|
master keys for storage in a safe, physical location.
|
||||||
|
|
||||||
Because the encryption is managed on the client side, you can use the same
|
Because the encryption is managed on the client side, you can use the same
|
||||||
datastore on the server for unencrypted backups and encrypted backups, even
|
datastore on the server for unencrypted backups and encrypted backups, even
|
||||||
if they are encrypted with different keys. However, deduplication between
|
if they are encrypted with different keys. However, deduplication between
|
||||||
|
Loading…
Reference in New Issue
Block a user