How-to

Secure PBS access.

Enable MFA, tighten network access, and use scoped tokens so only authorized users and hosts can touch your backups.

Steps

  1. Enforce MFA. Require MFA for users; prefer API tokens for automation.
  2. Restrict network access. Use firewalls/VLANs to allow only Proxmox VE hosts and admin IPs to reach PBS (UI/API/backup ports).
  3. Use least-privilege roles. Assign roles per datastore/namespace; avoid root unless required.
  4. Pin TLS fingerprints. Approve and monitor fingerprints; re-approve only when expected.
  5. Audit access. Review access logs regularly; alert on failed logins and token changes.
  6. Back up configs securely. Store PBS config backups offsite with restricted access.

Prereqs

  • Firewall/VLAN controls in place
  • MFA enabled for admins
  • Role mapping for users/tokens
  • Approved TLS fingerprint

Quick checks

  • MFA required for UI logins.
  • Tokens scoped to specific datastores/namespaces.
  • Only allowed IPs/Subnets reach PBS ports.
  • Access logs reviewed; alerts configured.

If something fails

  • Rotate tokens and revoke unused accounts.
  • Re-pin the TLS fingerprint if certificates change.
  • Harden firewall rules to only necessary hosts.
  • Enable additional logging and review for anomalies.

Related guides

Official docs

Proxmox docs: User management and Firewall configuration.

Hosted PBS at $7.95/TB.

No storage limits—$7.95/TB with compute and RAM included. We run the infrastructure; you keep control.

See pricing