Skip to content

Getting Started

Connect your Proxmox Backup Server (PBS) to IsoVault, lock it behind Cloudflare Zero Trust, and run a backup + restore validation.

Requirements

  • PBS 2.4+ with outbound HTTPS allowed (no inbound holes required).
  • Cloudflare account with Zero Trust enabled and a domain you can manage.
  • A repository/namespace sized for your data and credentials with least privilege.
  • Linux host that will run proxmox-backup-client or Docker for the client container.

Step 1 — Create a scoped token in PBS

  1. In PBS: Datastore > Permissions > API Tokens.
  2. Create a token with DatastoreBackup (write) for backups; add a separate DatastoreReader for restore-only access.
  3. Copy the token ID and secret and store them in a password manager.

Step 2 — Set up Cloudflare Tunnel & Zero Trust

  1. On PBS, install cloudflared from Cloudflare’s repo.
  2. Create a tunnel: cloudflared tunnel create isovault-pbs
  3. Route DNS: cloudflared tunnel route dns isovault-pbs pbs.example.com
  4. Configure access policy in Cloudflare Zero Trust to require SSO or service tokens for pbs.example.com.
  5. Run the connector: cloudflared tunnel run isovault-pbs (or via systemd) and keep firewall egress-only.

Step 3 — Install the client

Debian/Ubuntu (no-subscription repo shown):

sudo apt update
sudo apt install -y wget gnupg
wget -O- https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg | sudo tee /etc/apt/trusted.gpg.d/proxmox-release.gpg
echo "deb http://download.proxmox.com/debian/pbs-client bookworm main" | sudo tee /etc/apt/sources.list.d/pbs-client.list
sudo apt update && sudo apt install -y proxmox-backup-client

Docker (no install on host):

docker run --rm -v $(pwd):/data proxmox/pbs-client --version

Step 4 — Configure environment

  • PBS_REPOSITORY<hostname>:<datastore> (e.g. pbs.example.com:docs)
  • PBS_USERNAME — token name (e.g. backup@pbs!vault-writer)
  • PBS_PASSWORD — token secret
  • PBS_FINGERPRINT — TLS fingerprint of PBS (optional but recommended)

Step 5 — Run your first backup

PBS_REPOSITORY=pbs.example.com:docs PBS_USERNAME=backup@pbs!vault-writer PBS_PASSWORD=REPLACE_ME proxmox-backup-client backup home.pxar=/srv/data/home --ns main --verbose

Use --ns to keep namespaces separate per team or customer.

Step 6 — Run a restore test

proxmox-backup-client restore   home.pxar   --repository pbs.example.com:docs   --snapshot main/host/$(proxmox-backup-client snapshots --repository pbs.example.com:docs | head -n 1 | awk '{print $1}')   ./restore-check --verbose

Compare checksums on the restored folder or run your app’s smoke tests against it.

Step 7 — Monitor

  • Check PBS UI or proxmox-backup-client status for job freshness.
  • Enable alerts for failed backups and set a schedule for monthly restore drills.
  • Rotate tokens regularly and scope them to the minimal datastore/namespace needed.

Troubleshooting

  • Tunnel won’t connect: ensure outbound 443 is open and the Cloudflare connector is running.
  • TLS errors: set PBS_FINGERPRINT to pin the server certificate.
  • Permission denied: verify the token role includes DatastoreBackup or DatastoreReader for the target namespace.