Encryption

Encrypt backups on the client side with a key generated by Cloud-PBS TUI.

Last updated: May 18, 2026

Cloud-PBS TUI can encrypt backups on the client side: data is encrypted on the host before being sent to the PBS server. The server then only ever sees encrypted data.

Generating a key

Cloud-PBS TUI generates the encryption key through proxmox-backup-client key create. The path to the key file is entered in the Encryption key field of the Target screen.

The key is generated without a passphrase (--kdf none). The encryption secret therefore lives only in the key file: its confidentiality relies entirely on filesystem permissions. The file should be readable only by the user who runs the backups.

Safeguard

The tool never overwrites an existing key. If a key file is already present at the given path, generation fails rather than overwriting the key. This is a deliberate protection: overwriting a key would make every backup encrypted with the old one unreadable.

Back up the key

CAUTION

Without the key, an encrypted backup is permanently unrecoverable. No restore is possible.

Keep a copy of the key in a safe place, separate from the backed-up host: a password vault, offline media, or both. If the host is lost, it is that copy that will allow the data to be restored.

Restoring an encrypted backup

The same key is needed to restore an encrypted backup. Enter its path in the Encryption key field of the Target screen before browsing or restoring backups; see Browsing and restoring.

Getting Started

Backup

Restore

Security

Advanced

Support

Guides

Migration

Troubleshooting

Encryption

Generating a key

Safeguard

Back up the key

Restoring an encrypted backup