How-to guide

How to set up and configure Proxmox Backup Server

Install, harden, and tune PBS for reliable backups from Proxmox VE. This walkthrough covers storage, networking, TLS, retention, and restore testing.

View pricing Back to resources

At a glance

Get a production-ready PBS fast.

  • 01Install PBS on Debian/ISO
  • 02Design storage + network layout
  • 03Harden access with TLS and roles
  • 04Connect PVE and schedule jobs

Contents

Prep checklist

  • 64-bit CPU with AES-NI, 16 GB+ RAM minimum; more for heavy backup workloads.
  • Dedicated datastore disks (SAS/NVMe). Keep OS separate.
  • 10/25 Gbps NICs on a backup VLAN; consistent MTU end-to-end.
  • Forward and reverse DNS for the PBS hostname, plus a valid TLS cert plan (ACME or imported).
  • NTP enabled on PBS and all Proxmox VE nodes.

1) Install Proxmox Backup Server

Use the ISO when possible. For current PBS 4 on Debian 13 (trixie), add the pbs-no-subscription repository with deb822:

sudo install -d /etc/apt/keyrings
wget -qO /etc/apt/keyrings/proxmox-release-bookworm.gpg https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg
cat <<'EOF' | sudo tee /etc/apt/sources.list.d/pbs.sources
Types: deb
URIs: http://download.proxmox.com/debian/pbs
Suites: trixie
Components: pbs-no-subscription
Signed-By: /etc/apt/keyrings/proxmox-release-bookworm.gpg
EOF
sudo apt update && sudo apt install proxmox-backup-server

For PBS 3.x on Debian 12 (bookworm), you can still use the legacy list entry:

echo "deb http://download.proxmox.com/debian/pbs bookworm pbs-no-subscription" \
  | sudo tee /etc/apt/sources.list.d/pbs.list
wget -qO- https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg \
  | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/proxmox-release.gpg
sudo apt update && sudo apt install proxmox-backup-server

Access the UI at https://<pbs-host>:8007. Create an admin user in the pbs realm to avoid daily root usage.

2) Design storage and datastores

Separate OS and datastore disks. ZFS mirror/RAID10 on SAS/NVMe gives predictable backup and restore speeds.

  • Create pool (example): zpool create -f pbsdata mirror /dev/sdX /dev/sdY.
  • Mount at /mnt/pbsdata and persist with /etc/fstab or a systemd mount.
  • In PBS: Administration > Storage > Add > Directory → path /mnt/pbsdata → name primary.
  • Enable Namespace Mode if you need tenant/environment separation.
  • Add a metadata/special device for faster metadata-heavy operations on large repos.

3) Network for backup traffic

  • Use a dedicated VLAN/VRF for backups; keep management separate.
  • Match MTU across path; check with ping -M do -s 8972 <pbs> for jumbo frames.
  • Prefer bonded uplinks (LACP) and pin PBS NICs to backup networks.
  • Monitor drops/retransmits during peak periods; adjust offload settings if CPU-bound.

4) Secure PBS (TLS, auth, firewall)

  • TLS: Use ACME or upload a signed cert for the hostname PVE will use.
  • Accounts: Create pbs-backup in pbs realm; assign BackupAdmin or scoped DatastorePowerUser.
  • Tokens: Issue API tokens per PVE cluster; scope to datastores.
  • Firewall: Allow TCP 8007 from PVE nodes; restrict SSH/UI to admin sources.
  • 2FA: Require for UI logins where possible.

5) Connect Proxmox VE to PBS

Add PBS storage in each PVE cluster.

# In PVE: Datacenter > Storage > Add > Proxmox Backup Server
# CLI option:
pvesm add pbs pbs-primary \
  --server pbs.example.com \
  --fingerprint <pbs-fingerprint> \
  --datastore primary \
  --username pbs@pbs --password 'TOKEN_OR_PASSWORD'
  • Get the fingerprint on PBS: proxmox-backup-manager cert info | grep SHA256.
  • For tokens: --username 'pbs@pbs!tokenid' and --password 'token-secret'.
  • Enable “Validate TLS certificate” in PVE to enforce hostname match.

6) Build backup jobs

  • Schedule VM backups daily or twice daily; align with your environment.
  • Retention starting point: keep 7 daily, 4 weekly, 3 monthly; avoid unlimited.
  • Compression: keep zstd unless CPU constrained.
  • Bandwidth: apply per-job limits only during business hours if needed.
  • Use namespaces or tags to separate prod/stage and simplify organization.

7) Hardening, monitoring, and updates

  • Disable unused accounts; enforce 2FA; rotate tokens.
  • Ship logs to a collector; monitor task-log, system health, and SMART/ZFS status.
  • Update regularly: apt update && apt upgrade; reboot in planned maintenance periods.
  • Consider a secondary PBS for Remote Sync (offsite/DR).

8) Test restores

  • Restore to a non-production VMID or fenced network monthly.
  • File-level: mount snapshots from PBS or via proxmox-backup-client mount.
  • Record RTO/RPO; tune bandwidth or retention to meet targets.

Troubleshooting quick hits

  • Slow backups: Check source disk/NIC throughput; MTU match; watch CPU/ARC on PBS.
  • Cert warnings: Use the FQDN in the cert; refresh fingerprint in PVE after renewals.
  • Space pressure: Add capacity or adjust retention to stabilize growth.

Want PBS hosted and managed?

We provision dedicated storage, tune PBS, and monitor backups 24/7.

See plans