Glossary
Backup & Restore~8 min
Terms used across the backup & restore documentation, with their definition.
Terms are grouped by theme. Every entry gives the term and a short definition.
Encryption and key recovery
Vocabulary for the PBS encryption block. It involves two distinct secrets: a binary keyfile and a written passphrase.
- Recovery passphrase
- Text password the operator picks to protect the recovery envelope. It is prompted twice with a match check, and is only used to encrypt the envelope and to decrypt it if the keyfile ever needs to be recovered. It is not the passphrase that unlocks the keyfile itself, and it is never sent to PBS. During a normal backup it never leaves the host.
- Keyfile (encryption key)
- Binary file that Proxmox Backup Server uses to encrypt the chunks of each backup before uploading them. Without this file, no encrypted backup can be read. ProxMenux stores it at
/usr/local/share/proxmenux/pbs-key.confwith mode600. This is the asset that has to be protected; the recovery envelope exists precisely so that this file can be rescued if it is lost. - Keyfile passphrase (KDF passphrase)
- Optional passphrase that the keyfile itself may carry, distinct from the recovery passphrase. It only exists when the keyfile was created with
--kdf scrypt(typically an imported keyfile). Without it, the keyfile cannot be unlocked for use. ProxMenux persists it in encrypted form on the host so that scheduled backups can run without an interactive prompt. - Recovery envelope
- The keyfile wrapped in an extra layer: it is encrypted with the recovery passphrase using AES-256-CBC and PBKDF2 before it ever leaves the host. It is what gets uploaded to PBS as the
-keyrecoverygroup. Without the passphrase, the envelope is opaque: downloading it from PBS does not reveal the keyfile. - Client-side encryption
- Encryption model in which data is encrypted on the source host before being uploaded. PBS only ever receives and stores ciphertext; not even a PBS administrator with datastore access can read it without the keyfile. ProxMenux builds on this model and adds the recovery envelope on top.
- --kdf none
- Option to
proxmox-backup-client key createthat produces a keyfile with no attached passphrase. The keyfile can be used directly without a prompt, which is essential for scheduled jobs running unattended. This is what ProxMenux uses by default when generating a new keyfile. - --kdf scrypt
- Option to
proxmox-backup-client key createthat produces a keyfile protected by a keyfile passphrase. Each use of the keyfile requires unlocking it with that passphrase. ProxMenux accepts this style of keyfile on import and stores the passphrase encrypted so scheduled backups can still run unattended. - AES-256-CBC
- Standard symmetric cipher. ProxMenux uses it (via
openssl enc -aes-256-cbc) to wrap the keyfile with the recovery passphrase and produce the envelope. - PBKDF2
- Cryptographic function that turns a human-typed passphrase into a binary key suitable for encryption. It slows down brute-force attempts by applying many iterations. ProxMenux uses it with 600 000 iterations and a random salt when encrypting the recovery envelope.
Backup structure
Terms describing what lives inside a backup, regardless of destination.
- rootfs / root filesystem
- A flat copy of the source host's filesystem, produced by
rsyncover the default profile plus any custom paths. It is not a whole-disk image: only paths that contain configuration or state Proxmox cannot regenerate on its own are copied. - Manifest (manifest.json)
- Structured JSON document describing the source host at backup time: hardware, storage, kernel, ProxMenux-installed components and inventory of VMs and LXCs. It is produced by six independent collectors. The restore flow uses it to compare source and target.
- Staging directory
- Temporary directory where ProxMenux assembles the three blocks (rootfs, metadata and manifest) before packing them and uploading to the destination. It is removed automatically when the backup finishes, even on abort.
- Default profile
- Curated set of paths that ProxMenux copies by default in every backup. Covers PVE config, network, SSH, kernel, apt, ProxMenux tools and more. It is defined in code and documented on the How it works page.
- Custom paths
- Extra paths the user adds on top of the default profile. Either persistent (stored in
backup-extra-paths.txt) or per-run (picked in Custom mode).
Destinations and storage
Terms tied to where the backup lands — PBS server, local archive or Borg repository — and how PBS organises the data.
- PBS repository
- Combination of Proxmox Backup Server + datastore + user that receives the backup. Identified by the string
user@realm@host:datastore. A single PBS server can host several repositories. - Datastore
- Concrete store inside a PBS server where backups and their chunks live. Each datastore sits on a filesystem of the PBS server and has its own permissions and policies.
- Chunk / chunk deduplication
- PBS splits every backup into variable-size chunks, identifies each chunk by its hash and stores each chunk only once, even if it appears in many different backups. This means successive backups of the same host — or across similar hosts — take very little additional space.
- Fingerprint
- Cryptographic fingerprint of the PBS server's TLS certificate. It lets the client verify it is talking to the intended server without relying on a public certificate authority. ProxMenux passes it to
proxmox-backup-clientvia thePBS_FINGERPRINTenvironment variable. - Backup group
- Logical container inside PBS under which successive backups of the same asset accumulate. Each new backup shares deduplication with earlier ones in the same group. ProxMenux uses two groups per host when encryption is enabled: one for the host backup and one with a
-keyrecoverysuffix for the recovery envelope. - Backup ID
- Name of the backup group. ProxMenux defaults to
hostcfg-HOSTNAMEand lets the operator edit it before upload; unsupported characters are stripped automatically. - .pxar
- PBS-native archive format for directories. It behaves like a tar optimised for chunk deduplication: rather than storing an opaque file, PBS breaks its contents into reusable chunks.
Execution and scheduling
Terms used by the ProxMenux scheduled-jobs system.
- Runner
- The
run_scheduled_backup.shscript that executes a scheduled backup. It reads the job config, launches the matching backend (Local, PBS or Borg), applies retention on success and sends the configured notifications. - Scheduled job
- Persisted configuration of a recurring backup. Holds destination, credentials, encryption, schedule and retention. Lives at
/var/lib/proxmenux/backup-jobs/<id>.env. - Attach mode
- Scheduled job with no schedule of its own; it fires automatically whenever an existing PVE
vzdumptask runs. It inherits the schedule and retention from that parent task. Supported for Local and PBS destinations only. - Systemd timer
- Standard systemd mechanism that fires a command on a calendar. ProxMenux creates one timer per independent scheduled job; attach-mode jobs use no timer, they run via the PVE script-hook.
- Retention (keep-last, keep-daily…)
- Policy that decides which older backups to keep and which to prune. Defined per job with parameters like
keep-last,keep-daily,keep-weekly,keep-monthly. Applied by the runner after each successful backup.
Restore
Terms from the restore flow.
- Universal restore
- The ProxMenux restore flow does not just extract the filesystem: it reads the manifest to spot differences between source and target, reproduces the system configuration and re-runs the installers for the ProxMenux-managed components. The goal is to reproduce the source host, not merely the archive.
- Hydration (cross-kernel)
- Restore pass that merges the user's own configuration from the source (IOMMU tokens, VFIO device IDs, custom quirks, GRUB keys) on top of the target's fresh boot configuration, without copying the source's kernel-tied files verbatim. Runs when the target kernel is newer than the backup's.
- Cross-kernel restore
- Restore where the target's kernel differs from (usually is newer than) the source's. Requires the hydration pass to avoid dragging along files incompatible with the target's kernel.
- Post-boot installer
- Components reinstalled after the first boot of the restored host (NVIDIA drivers, Coral TPU drivers, AMD GPU tools, Intel GPU tools). Each installer runs against the target's kernel, so the restored host does not depend on the source's kernel being present.
- Compatibility check
- Comparison between the source manifest and the target's state that ProxMenux performs at the start of the restore. It decides which parts are copied verbatim, which need hydration and which are recreated by an installer.
- Fresh install
- Host just reinstalled from scratch, with no local keyfile. Restoring an encrypted backup requires first recovering the keyfile from the envelope stored on PBS, using the recovery passphrase.
Where next
- How it works — where the rootfs, manifest and application inventory fit inside a backup.
- Proxmox Backup Server destination — where client-side encryption, keyfile, recovery passphrase and envelope are documented in depth.
- Restoring — the restore flow and manifest usage.