tmueller/pbs-client-docker
1
0
Fork 0
mirror of https://github.com/edv-pi/pbs-client-docker.git synced 2025-04-20 07:52:56 +02:00
Code Issues Actions Packages repo.project_board Releases Wiki Activity

Add some clear warnings and discourage the use of unencrypted backups.

Browse Source
This commit is contained in:
Aterfax 2025-03-23 19:47:18 +00:00
parent cb750d4cb4
commit 92f23512e1
No known key found for this signature in database
3 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -40,6 +40,9 @@ For more in depth instructions, see: [Using-the-DockerHub-provided-image](#Using
### Using the DockerHub provided image ### Using the DockerHub provided image
> [!WARNING]
> It is possible, but highly discouraged for you to make unencrypted backups by setting `UNENCRYPTED=1` in your ``.env`` file. This will bypass the automatic key generation process but **this is a bad idea** as the backed-up data will be stored in plaintext. This means that the owner of the PBS backup server you are backing up to will have full access to explore the backed-up content.
* Run the image with the provided docker-compose file after amending it and the ``.env`` file where needed. * Run the image with the provided docker-compose file after amending it and the ``.env`` file where needed.
* If allowing the container to conduct an auto setup, don't set a ``PBS_ENCRYPTION_PASSWORD`` value yet as the container first run will autogenerate one for you. * If allowing the container to conduct an auto setup, don't set a ``PBS_ENCRYPTION_PASSWORD`` value yet as the container first run will autogenerate one for you.
* Supply your desired ``master-public.pem``, ``master-private.pem`` and ``encryption-key.json`` files with a matching ``PBS_ENCRYPTION_PASSWORD`` or allow the container to automatically generate these for you on first run. * Supply your desired ``master-public.pem``, ``master-private.pem`` and ``encryption-key.json`` files with a matching ``PBS_ENCRYPTION_PASSWORD`` or allow the container to automatically generate these for you on first run.
@ -97,6 +100,11 @@ See also:
- https://github.com/Aterfax/pbs-client-docker/issues/8 - https://github.com/Aterfax/pbs-client-docker/issues/8
- https://forum.proxmox.com/threads/backup-client-encryption-not-working-inside-docker-container.139054/ - https://forum.proxmox.com/threads/backup-client-encryption-not-working-inside-docker-container.139054/
> [!WARNING]
> It is possible, but highly discouraged for you to bypass this issue by taking unencrypted backups. You can do this by setting `UNENCRYPTED=1` in your ``.env`` file and this will bypass the automatic key generation process.
>
>**This is a bad idea** as the backed-up data will be stored in plaintext. This means that the owner of the PBS backup server you are backing up to will have full access to explore the backed-up content.
## Troubleshooting ## Troubleshooting
If you encounter issues, check the [Troubleshooting section](TROUBLESHOOTING.md) for solutions to common problems. If you encounter issues, check the [Troubleshooting section](TROUBLESHOOTING.md) for solutions to common problems.

4
docker-compose/.env.example
View File

@ -6,7 +6,9 @@ CRON_SCHEDULE="0 */4 * * *"
# If you want to skip backup on startup, set CRON_BACKUP_ONLY=1 otherwise CRON_BACKUP_ONLY=0 # If you want to skip backup on startup, set CRON_BACKUP_ONLY=1 otherwise CRON_BACKUP_ONLY=0
CRON_BACKUP_ONLY=0 CRON_BACKUP_ONLY=0
# Set UNENCRYPTED=1 to bypass key generation and allow the backup to be unencrypted # Set UNENCRYPTED=1 to bypass automatic encryption key generation and allow the backups to be unencrypted.
# This is a bad idea as the owner of the PBS backup server you are backing up to will have full access to
# explore the backed-up content.
UNENCRYPTED=0 UNENCRYPTED=0
# Use of the PBS_API_KEY_NAME and PBS_API_KEY_SECRET is recommended! # Use of the PBS_API_KEY_NAME and PBS_API_KEY_SECRET is recommended!

2
docker/src/s6-services/key_setup/run
View File

@ -23,6 +23,8 @@ trap handle_error ERR
# Check if encryption is disabled via environment variable # Check if encryption is disabled via environment variable
if [ "${UNENCRYPTED}" = "1" ]; then if [ "${UNENCRYPTED}" = "1" ]; then
echo "Encrypted backups are disabled. Skipping key setup process." echo "Encrypted backups are disabled. Skipping key setup process."
echo ""
echo "This is a bad idea as the owner of the PBS backup server you are backing up to will have full access to explore the backed-up content."
exit 0 exit 0
fi fi