Featured image of post 1-2-3 Backup-Strategy with Proxmox Backup Server
Projects

1-2-3 Backup-Strategy with Proxmox Backup Server

Security-First Proxmox Backup Strategy:
Multi-Site,
Ransomware-Resistant,
Auditable

Protecting your data isn’t just about redundancy—it’s about outsmarting modern threats like ransomware and ensuring you’re always one step ahead.

In my personal homelab environment, I wanted backup practices that rival those found in enterprise datacenters—robust, auditable, and truly resistant to attack. Here’s how my two-site Proxmox backup setup tackles these challenges with layered security, strict access controls, and robust backup retention.

Schema

Design Highlights

1. Localized & Isolated Backups

  • Each Proxmox host/cluster sends backups only to its on-site PBS.
  • Hosts cannot access, view, or interact with the remote PBS at the other site.

2. Minimal Privilege Access

  • Proxmox hosts have add- and read-permissions on their PBS: they can store new backups, but never modify or delete them.
  • Every PBS login used for backups is tightly scoped; hosts only see what’s strictly necessary.

3. Namespace Segmentation

  • Bochum PBS can only sync to its bochum namespace on Dülmen PBS, and vice versa.
  • This enforced separation contains any potential breach to a single namespace, not your entire backup environment.

4. Secure Administration

  • 2FA (Two-Factor Authentication) is mandatory on all admin accounts for both PBS instances.
  • Every administrative action is protected by strong, unique credentials and 2FA. No single compromised password can risk the whole backup system.

5. Long-Term Backup Retention

  • PBS is configured to keep a backup history spanning several months. I always have safe restore points, even if an attack goes unnoticed for weeks.
  • Retention handling is done solely by each PBS server.
  • No Proxmox host has the permission or interface to delete any backups from the PBS.
  • PBS-to-PBS sync is set up so that it never deletes data during replication—backups are only ever added, never pruned by a sync job.
  • This means even if a host or account is compromised, attackers can’t delete any backup data from the backup servers.

6. Tamper-Proof Logging and Auditing

  • All admin actions and backup jobs are logged, supporting transparent oversight and forensic readiness in case of suspicious activity.

Ransomware & Attack Resilience

  • Immutable Backups: Write-only and namespace-isolated backups mean ransomware infecting a production host cannot encrypt or erase existing backup archives.
  • Multi-Factor Barriers: 2FA for admin accounts stops unauthorized changes, even if credentials leak.
  • Multi-Month History: If an infection or data corruption goes unnoticed for some time, you still have a wide window of clean restores.
  • Geographical Redundancy: Backups are stored offsite, meaning even a full-site breach or hardware failure leaves your recovery options intact.
  • Cannot Delete Backups via Hosts or Sync: Only PBS handles retention, and only according to predefined policies—no user or sync job can delete backups externally.

Conclusion

This approach turns your Proxmox backup system into a fortress:

  • Rigorous compartmentalization
  • Least-privilege user accounts
  • Strong authentication
  • Tamper-resistant, long-term backup retention
  • Backups can never be deleted from outside the PBS

If ransomware comes knocking—or even if site-wide disaster strikes, you’ll have resilient, trustworthy backups ready, and your path to recovery will be swift and secure.