Becker Software
11 min.

Proxmox Backup Server (PBS): The Ultimate Guide for Secure and Efficient Backups in Proxmox VE Environments

Proxmox Backup Server (PBS): The Ultimate Guide for Secure and Efficient Backups in Proxmox VE Environments
Image: blickpixel / Pixabay

Introduction

Reliable backups are the backbone of any stable IT infrastructure. In the hosting sector and in virtualization environments like Proxmox VE, it's essential to back up data quickly, efficiently, and securely, and to be able to restore it in case of emergency.

At Becker Software, we have been using the Proxmox Backup Server (PBS) for years, a powerful and cost-free open-source solution specifically developed for Proxmox VE. In this article, we will show you how to set up, secure, and optimally use PBS — including our proven best practices from daily operations.

What is the Proxmox Backup Server?

The Proxmox Backup Server is a backup solution specifically tailored to Proxmox Virtual Environment (Proxmox VE). It enables fast, incremental, and deduplicated backups of virtual machines and containers.

Benefits at a glance:

  • Open-source software without licensing costs
  • Seamless integration with Proxmox VE
  • Dedicated, secure backup format
  • Incremental backups and deduplication for efficient storage
  • High security and comprehensive rights management

Compared to other solutions like Veeam or Bareos, PBS stands out due to its tight integration with Proxmox VE and its simple management via a modern web interface.

System Requirements and Preparation

To ensure that the Proxmox Backup Server runs stably and performs well, the following prerequisites should be met:

Hardware Recommendation:

  • At least 4 CPU cores (amd64)
  • 8 GB RAM recommended (better 16 GB+), according to the manufacturer’s specifications, 4 GB should be sufficient.
  • Separate redundant data storage (SSD or Enterprise HDD depending on the data volume), alternatively, external network-based storage.
  • 1 Gbit/s network or faster.

Software Prerequisites:

  • Latest PBS ISO file from the Proxmox website. Download the ISO from the Proxmox website.
  • Ability to mount ISO via IPMI, iLO, or USB.

Network and Security:

  • Separate VLAN or dedicated network for backups.
  • Firewall rules for access protection.
  • Optional: VPN for offsite backup targets.

Installation Step by Step

  1. Download and Install PBS ISO

First, we download the latest Proxmox Backup Server ISO image directly from the official Proxmox website. This ensures that we are always working with the latest, securely patched version.

Here’s how to proceed:

  • Go to the download page at https://www.proxmox.com/en/downloads.
  • Select the Proxmox Backup Server section and download the ISO file.
  • Next, transfer the ISO image to a USB stick using tools like Rufus or balenaEtcher.
  • Boot the target server from this USB stick and follow the installation wizard.

During the installation, select the appropriate installation drive and confirm the remaining steps.

  1. Partition the Disk and Choose the System Drive

In the next step, we define which hard drive will be the system drive for the Proxmox Backup Server. This is critical for stable and high-performance operation.

Our best practices:

  • We use a separate SSD or NVMe drive for the operating system.
  • Additional drives for backup storage are not mounted during installation but only after the initial configuration.
  • The default partitioning scheme of Proxmox is adjusted if necessary, especially if specific RAID or LVM configurations are desired.

Once the installation assistant finishes partitioning, we move on to network configuration.

  1. Network Configuration and Assign Hostname

A stable and clearly defined network configuration is crucial for backup servers. We set the hostname and network settings during the installation process.

Key points to pay attention to:

  • Assign a unique hostname based on our internal naming scheme, e.g., pbs01.domain.local.
  • The IP address is assigned statically, not via DHCP, to ensure reliable accessibility.
  • The gateway and DNS servers are entered according to our network structure.
  • For future Let's Encrypt certificates or DNS-based services, the hostname should be externally resolvable.

Once this step is completed, the server will boot and be ready for the first login via the web interface.

Initial Configuration: Create Datastore

Once the installation is complete and the Proxmox Backup Server is accessible via the web interface, we make the first basic configuration. The most important step here is creating a datastore, the location for your backups.

Why a Separate Datastore?

A datastore in PBS is nothing more than a directory on a disk that is used to store backups. The great advantage is that the backups are not tied to a specific file system or complex database. The data is directly stored as files and directories in a well-structured and traceable folder system.

Here’s how to create the datastore:

  • In the web interface, navigate to Datastore → Create.
  • Select the desired drive where the backups will be stored.
  • Next, define a directory, e.g., /mnt/datastore01.
  • Give the datastore a unique name (e.g., pbs-backup01).
  • Save it — the datastore is now available for backup jobs.

How PBS Stores the Backups Internally

The Proxmox Backup Server uses a very robust and well-thought-out backup format:

  • Deduplicated Chunk Files: The actual data of your VMs and containers is split into small, encrypted chunks. Each chunk is stored as a single file on the backup storage and is only stored once, even if it appears in multiple backups. This saves a tremendous amount of storage space.
  • Metadata Files: For each backup, metadata and an index are created. This data tells which chunks belong to which backup and how to reassemble them. This metadata is the key to performing restores.
  • Robustness through File-Based Concept: The great advantage: You can easily move the entire backup directory (i.e., the entire datastore folder) to another Proxmox Backup Server — for example, via rsync, ZFS snapshot, or physical disk swap.
    As long as the metadata files are available, the new server can fully read and restore the backups, even if the data is encrypted.

This creates an extremely fail-safe and flexible backup structure, which is also excellent for offsite backups and disaster recovery scenarios.

Our Recommendation

We recommend creating a separate datastore for each backup strategy or cluster. This ensures clarity and simplifies permissions management.

Tip: If you ever need to move the backup directory to a new system, simply copy the directory structure and rebind the datastore in the new PBS. Within minutes, all backups will be available again — without needing to reinstall or restore a database.

Backup Users and Permission Management

An often underestimated but critically important aspect of setting up a backup system is careful user rights management. Especially in conjunction with Proxmox VE as the backup source, careless permission assignment can lead to accidental or malicious deletion of backups.

We place particular emphasis on ensuring that no host or automated process can remove backups. In this section, we’ll show you how we enforce this using the Proxmox Backup Server (PBS) permission management.

Why is this so important?

If a Proxmox VE host is granted unrestricted rights on the datastore, a compromise or misconfiguration could delete the entire backup directory. This is a critical risk that we proactively mitigate.

Our solution: Backup user with restricted permissions

For each Proxmox VE host that writes backups to PBS, we create a dedicated user. This user gets only the necessary rights to create and read backups—but no delete permissions.

How we set up the backup user

  • In the PBS web interface, navigate to Permissions → User.
  • Create a new user, e.g. pve01-backup@pbs.
  • Generate an API token for this user (to be used by Proxmox VE for backups).
  • Under Permissions → Datastore, assign the DatastoreBackup role to this user on the relevant datastore:
    • Allows creating and reading backups
    • Does not allow deleting backups
  • Optionally, assign a strong password for web-interface login if needed.

Defining permissions at the datastore level

Permissions in PBS are datastore-specific. That means:

  • A user can only operate on the datastore(s) for which they have explicit rights.
  • You can manage access granularity per datastore.

Our security principle: Each host that writes backups only gets write and read rights on its own datastore. Backups authenticate via API tokens, and deletion is explicitly disabled.

Advantages of this approach

  • Minimized risk from compromised hosts: A compromised Proxmox VE host cannot delete backups.
  • Clean separation of permissions: Each host uses its own API token and only accesses its designated datastore.
  • Full control: Only a dedicated PBS admin can perform deletions.

Creating and Managing Backup Jobs in Proxmox VE

Once PBS is up and running with the datastore and restricted users in place, we configure automated backup jobs on the Proxmox VE hosts. This ensures your VMs and containers are backed up reliably and regularly.

How we create backup jobs in Proxmox VE

  1. In the Proxmox VE web interface, select Datacenter → Backup.
  2. Click Add to create a new backup job.
  3. Configure:
    • Backup Mode: Snapshot for consistent live backups
    • Storage: Your PBS datastore
    • Schedule: e.g. daily at 02:00
    • Email notification: Enable on success and failure
  4. Under Selection Mode, choose all VMs/containers or a defined subset.
  5. Click Add to include them in the job.

Authentication detail: We authenticate to PBS using the API token of the backup user. This keeps permissions minimal—deletion is not possible, greatly enhancing security.

Prune Jobs and Retention Policies

To prevent your datastore from filling with outdated backups, we configure Prune Jobs. These define how many backups per VM/container to keep and when to remove older versions.

Prune Simulator: Test your rules safely

The PBS Prune Simulator lets you:

  • Simulate against existing backup history and planned retention rules
  • See exactly which backups would be pruned—risk-free

Find it here: https://pbs.proxmox.com/docs/prune-simulator/

Recommended retention settings for production systems

We use these proven defaults:

  • keep-last: 7 (Always keep the last 7 backups)
  • keep-daily: 14 (Retain the last 14 daily backups)
  • keep-weekly: 4 (Keep 4 weekly backups)
  • keep-monthly: 12 (Keep the last 12 monthly backups)
  • keep-yearly: 1 (At least one annual backup)

Advantages:

  • Ample coverage for daily restores and long-term archives
  • Automatic cleanup of outdated backups
  • Deduplication keeps old backups space-efficient

Setting up the Prune Job in PBS

  1. In PBS, go to Datastore → Prune Jobs and click Add.
  2. Select the target datastore.
  3. Define the prune schedule (e.g. daily at 03:30).
  4. Enter retention rules (see above).
  5. Choose the API token for authentication.
  6. Activate and save.

Your backup storage stays tidy and performant.

PBS Sync Jobs for Offsite Backups

To further secure your data, we configure Sync Jobs between multiple PBS instances. This replicates backups to a secondary server—e.g., another datacenter, branch office, or encrypted off-site storage.

Why Sync Jobs?

Storing backups on one server is risky. Hardware failure, ransomware, or a site outage can render all backups unavailable. Regular synchronization to a second PBS minimizes this risk.

How we set up Sync Jobs

  • In PBS, navigate to Datastore → Sync Jobs.
  • Click Add.
  • Configure:
    • Remote Datastore: Target on the remote PBS
    • Local Datastore: Source datastore
    • Schedule: e.g. nightly at 03:00
    • Remove Vanished: Optional—deletions from the source can mirror to the target (we usually disable for safety)
  • Authenticate with a dedicated, restricted API token.

How the sync works

PBS transfers only new or changed deduplicated chunks and their metadata. This reduces network load and speeds up replication. Thanks to robust metadata, restores on the target PBS are fully possible.

Even if a sync is interrupted, it resumes seamlessly without data loss.

Maintenance and Monitoring: Keeping PBS in View

Ensuring long-term reliability means ongoing maintenance and monitoring of PBS.

Backup status monitoring

We integrate PBS into our central monitoring system to track:

  • Datastore health
  • Sync job status
  • System resource usage

We enable email alerts for:

  • Failed backups
  • Low storage warnings
  • Connectivity issues with Proxmox VE hosts
  • Sync errors on offsite backups

This ensures immediate awareness of issues and rapid response.

Direct SMTP notifications without Sendmail/Postfix

Both PBS and Proxmox VE allow you to configure SMTP directly in the web interface—no local MTA (Sendmail or Postfix) required.

Advantages:

  • Quick, easy setup
  • Reliable email alerts
  • Full control over sender address and SMTP credentials
  • TLS/SSL and authentication support

We use this method consistently to avoid extra services that need securing.

Regular maintenance

Our operational routine includes:

  • Checking available storage on all datastores
  • Reviewing logs and notification reports
  • Performing test restores to verify backup integrity
  • Monitoring and renewing SSL certificates
  • Applying PBS system updates and security patches

Note: We recommend a full test restore at least monthly to confirm your backups are actually restorable.

Automated logging

All backup and sync jobs are automatically logged. Logs are accessible via the PBS web interface and API, providing a complete audit trail of all operations.

Other Articles

Back to overview
Company

New logo, new look

Same logo for eight years. At some point you notice it doesn't fit anymore. The old design with the blue and green tiles was fine, but it looked like 2018 because it was from 2018.

Read more →

Becker Connect Platform – Launch in Q2 2026

We are excited to announce the launch of our new Becker Connect Platform in the second quarter of 2026. In this article, we provide an exclusive preview of the current development stage and showcase work-in-progress images of our integrations.

Read more →

Global Shopify Outage on December 5, 2025: Error 500 Due to Cloudflare Disruption

Since December 5, 2025, at 08:42 UTC, there has been a worldwide Shopify outage. Numerous users report encountering a 500 Internal Server Error when accessing online shops as well as internal Shopify services, often accompanied by a Cloudflare error message. This Shopify error is not the user's fault but lies on Shopify's side or their proxy infrastructure over Cloudflare. Current information indicates that the Shopify status page, support, customer shops, and the main website are inaccessible, suggesting a complete disruption of Shopify.

Read more →