How-to guide

How to set up and configure Proxmox Backup Server

Install, harden, and tune PBS for reliable backups from Proxmox VE. This walkthrough covers storage, networking, TLS, retention, verification, and restore testing.

View pricing Back to resources

At a glance

Get a production-ready PBS fast.

  • 01Install PBS on Debian/ISO
  • 02Design storage + network layout
  • 03Harden access with TLS and roles
  • 04Connect PVE and schedule jobs

Contents

Prep checklist

  • 64-bit CPU with AES-NI, 16 GB+ RAM minimum; more for heavy verify/GC.
  • Dedicated datastore disks (SAS/NVMe). Keep OS separate.
  • 10/25 Gbps NICs on a backup VLAN; consistent MTU end-to-end.
  • Forward and reverse DNS for the PBS hostname, plus a valid TLS cert plan (ACME or imported).
  • NTP enabled on PBS and all Proxmox VE nodes.

1) Install Proxmox Backup Server

Use the ISO when possible. For current PBS 4 on Debian 13 (trixie), add the pbs-no-subscription repository with deb822:

sudo install -d /etc/apt/keyrings
wget -qO /etc/apt/keyrings/proxmox-release-bookworm.gpg https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg
cat <<'EOF' | sudo tee /etc/apt/sources.list.d/pbs.sources
Types: deb
URIs: http://download.proxmox.com/debian/pbs
Suites: trixie
Components: pbs-no-subscription
Signed-By: /etc/apt/keyrings/proxmox-release-bookworm.gpg
EOF
sudo apt update && sudo apt install proxmox-backup-server

For PBS 3.x on Debian 12 (bookworm), you can still use the legacy list entry:

echo "deb http://download.proxmox.com/debian/pbs bookworm pbs-no-subscription" \
  | sudo tee /etc/apt/sources.list.d/pbs.list
wget -qO- https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg \
  | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/proxmox-release.gpg
sudo apt update && sudo apt install proxmox-backup-server

Access the UI at https://<pbs-host>:8007. Create an admin user in the pbs realm to avoid daily root usage.

2) Design storage and datastores

Separate OS and datastore disks. ZFS mirror/RAID10 on SAS/NVMe gives predictable backup and verify speeds.

  • Create pool (example): zpool create -f pbsdata mirror /dev/sdX /dev/sdY.
  • Mount at /mnt/pbsdata and persist with /etc/fstab or a systemd mount.
  • In PBS: Administration > Storage > Add > Directory → path /mnt/pbsdata → name primary.
  • Enable Namespace Mode if you need tenant/environment separation.
  • Add a metadata/special device for faster verification on large repos.

3) Network for backup traffic

  • Use a dedicated VLAN/VRF for backups; keep management separate.
  • Match MTU across path; verify with ping -M do -s 8972 <pbs> for jumbo frames.
  • Prefer bonded uplinks (LACP) and pin PBS NICs to backup networks.
  • Monitor drops/retransmits during windows; adjust offload settings if CPU-bound.

4) Secure PBS (TLS, auth, firewall)

  • TLS: Use ACME or upload a signed cert for the hostname PVE will use.
  • Accounts: Create pbs-backup in pbs realm; assign BackupAdmin or scoped DatastorePowerUser.
  • Tokens: Issue API tokens per PVE cluster; scope to datastores.
  • Firewall: Allow TCP 8007 from PVE nodes; restrict SSH/UI to admin sources.
  • 2FA: Require for UI logins where possible.

5) Connect Proxmox VE to PBS

Add PBS storage in each PVE cluster.

# In PVE: Datacenter > Storage > Add > Proxmox Backup Server
# CLI option:
pvesm add pbs pbs-primary \
  --server pbs.example.com \
  --fingerprint <pbs-fingerprint> \
  --datastore primary \
  --username pbs@pbs --password 'TOKEN_OR_PASSWORD'
  • Get the fingerprint on PBS: proxmox-backup-manager cert info | grep SHA256.
  • For tokens: --username 'pbs@pbs!tokenid' and --password 'token-secret'.
  • Enable “Verify TLS certificate” in PVE to enforce hostname match.

6) Build backup jobs

  • Schedule VM backups daily or twice daily; align with maintenance windows.
  • Retention starting point: keep 7 daily, 4 weekly, 3 monthly; avoid unlimited.
  • Compression: keep zstd unless CPU constrained.
  • Bandwidth: apply per-job limits only during business hours if needed.
  • Use namespaces or tags to separate prod/stage and simplify pruning.

7) Pruning and garbage collection

  • In PBS datastore: configure prune rules (e.g., keep-daily 7, keep-weekly 4, keep-monthly 3).
  • Run GC after prune, preferably nightly but outside peak backup time.
  • Watch logs for namespace-in-use or chunk errors; investigate latency.

8) Verification (integrity checks)

  • Schedule verify weekly (daily for critical data) in Datastore > Verify.
  • Use fast cache/special devices to speed large verify jobs.
  • Alert on failures; correlate with storage latency or network drops.

9) Hardening, monitoring, and updates

  • Disable unused accounts; enforce 2FA; rotate tokens.
  • Ship logs to a collector; monitor task-log, verify outputs, and SMART/ZFS health.
  • Update regularly: apt update && apt upgrade; reboot in maintenance windows.
  • Consider a secondary PBS for Remote Sync (offsite/DR).

10) Test restores

  • Restore to a non-production VMID or fenced network monthly.
  • File-level: mount snapshots from PBS or via proxmox-backup-client mount.
  • Record RTO/RPO; tune bandwidth, verify cadence, or retention to meet targets.

Troubleshooting quick hits

  • Slow backups: Check source disk/NIC throughput; MTU match; watch CPU/ARC on PBS.
  • Prune failures: Permissions or namespace mismatch—verify roles and datastore path.
  • Cert warnings: Use the FQDN in the cert; refresh fingerprint in PVE after renewals.
  • Space not freeing: Run GC; ensure namespaces are included.
  • Verify errors: Inspect ZFS health/SMART; review dmesg for IO issues.

Want PBS hosted and managed?

We provision dedicated storage, tune PBS, and monitor backups 24/7.

See plans