I setup my proxmox server to send backup to PBS.
I also wanted to ensure that the backup encryption key file was not sitting in the disk in clear text. Because proxmox does not support FDE out of the box, my plan was that the actual file will remain in an encrypted drive which I will decrypt after boot and then create a symlink to "/etc/pve/priv/storage/${storeid}.enc"
.
The flaw in this plan is though that if Promox triggered the backup before that then the file would be not be found and it'll fail the backup. Or would it? Seems like a sensible thing to fail the backup if enc key file is not in place. So I removed the enc file and ran the backup.
So I asked on forum, reddit and also discord but to no avail. I decided to take a look at the source code. I am no perl/rust dev but from the source code it is evident that
Check the following snippets taken from Proxmox repos (pve-storage & pbs-client)
Methods calls propagates as
do_raw_client_cmd
-> pbs_open_encryption_key
pbs_open_encryption_key
will simply return undef if the file is not in place. And due to this do_raw_client_cmd
will set the backup mode to none by sending '--crypt-mode=none'
to the pbs backup client, resulting the backup to be sent in clear text.
When the user checkmarks the encryption option during the pbs adding phase in UI, the following will be added to /etc/pve/storage.cfg
.
pbs: pbs-backup
datastore xx
server xxx
content backup
encryption-key md5 fingerprint of key
fingerprint md5 fingerprint of server
prune-backups keep-all=1
username xx@xx
In UI it is reflected that encryption is on, but in reality even though unlikely it's very possible that if the file is missing due to some reason the encryption will be silently disabled. And this is a HUGE disconnect from what is shown to the user in the UI and user will never know backup is completely exposed.
A proper way to handle this would be to check if the encryption-key
value is avavilable in the storage config in /etc/pve/storage.cfg
and fail the backup if the encryption key does not match the fingerprint AND if the encryption key file is missing. User will take note of this and know backup has failed and nothing was sent in clear text.
Yes it shows up as encrypted. No indication that data was sent as cleartext