Running Proxmox Backup Server (PBS) on a separate VPS from your Proxmox hypervisor ensures that backups survive even if the primary server fails completely. PBS provides incremental backups with deduplication, client-side encryption, and flexible retention policies. This guide covers deploying PBS on a dedicated VPS for offsite backup.
Installing Proxmox Backup Server
# PBS runs on Debian 12 (Bookworm)
# Add PBS repository
echo "deb http://download.proxmox.com/debian/pbs bookworm pbs-no-subscription" > /etc/apt/sources.list.d/pbs.list
wget https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg
apt update && apt install proxmox-backup-server -y
# Access web UI at https://your-vps-ip:8007Storage Configuration
# Create datastore directory
mkdir -p /mnt/backup-storage
# If using a separate disk, mount it
mkfs.ext4 /dev/sdb1
echo "/dev/sdb1 /mnt/backup-storage ext4 defaults 0 2" >> /etc/fstab
mount -a
# Create datastore in PBS web UI:
# Configuration > Storage/Disks > Directory > Create: Datastore
# Or via CLI:
proxmox-backup-manager datastore create mybackups /mnt/backup-storageConnecting Proxmox VE to PBS
# On your Proxmox VE host:
# Datacenter > Storage > Add > Proxmox Backup Server
# Server: your-pbs-ip
# Username: root@pam
# Password: your-pbs-password
# Datastore: mybackups
# Fingerprint: (get from PBS web UI)
# Or via CLI on Proxmox VE:
pvesm add pbs pbs-offsite \
--server your-pbs-ip \
--datastore mybackups \
--username root@pam \
--password your-password \
--fingerprint XX:XX:XX...Backup Jobs
# Create backup job in Proxmox VE:
# Datacenter > Backup > Add
# Storage: pbs-offsite
# Schedule: daily at 02:00
# Selection mode: All VMs
# Mode: Snapshot (no downtime)
# Compression: ZSTD
# Retention: keep-daily=7, keep-weekly=4, keep-monthly=6
# Manual backup via CLI
vzdump 100 --storage pbs-offsite --mode snapshot --compress zstdEncryption
# Enable client-side encryption (PBS cannot read your data)
# Generate encryption key
proxmox-backup-client key create /etc/pve/priv/pbs-encryption-key.json
# Add key to storage configuration in Proxmox VE
# Datacenter > Storage > pbs-offsite > Encryption Key: upload key
# IMPORTANT: Back up the encryption key separately!
# Without the key, backups are unrecoverable
cp /etc/pve/priv/pbs-encryption-key.json /root/pbs-key-backup.jsonRetention Policies
# Configure retention on PBS datastore:
# Configuration > Datastore > mybackups > Prune & GC
# Keep Last: 3
# Keep Daily: 7
# Keep Weekly: 4
# Keep Monthly: 6
# Keep Yearly: 1
# Run garbage collection to reclaim space
proxmox-backup-manager garbage-collection start mybackupsMonitoring
# Check backup status
proxmox-backup-manager task list
# Verify backup integrity
proxmox-backup-client verify --repository root@pam@pbs-ip:mybackups
# Monitor storage usage
proxmox-backup-manager datastore status mybackups
# Set up email notifications in PBS:
# Configuration > Notifications > Add SMTP targetNetwork Security
# Restrict PBS access to your Proxmox nodes only
ufw default deny incoming
ufw allow from PROXMOX_NODE_IP to any port 8007 # Web UI
ufw allow from PROXMOX_NODE_IP to any port 8007 # Backup traffic
ufw enable
# Use WireGuard VPN for backup traffic encryption in transit
# This adds another layer beyond TLSRestore Procedures
# Restore VM from PBS backup:
# Proxmox VE > Storage > pbs-offsite > Backups
# Select backup > Restore
# CLI restore
qmrestore pbs-offsite:backup/vm/100/2024-01-15T02:00:00Z 100
# File-level restore (without restoring entire VM)
proxmox-backup-client restore root@pam@pbs-ip:mybackups \
vm/100/2024-01-15T02:00:00Z / target-dir/ \
--include /etc/nginx/Summary
A dedicated Proxmox Backup Server on a separate VPS provides true offsite backup protection with deduplication that typically achieves 10:1 compression ratios, client-side encryption for security, and automated retention policies. The tight integration with Proxmox VE makes backup and restore operations seamless, while keeping the backup server physically separate ensures your data survives even complete primary server failure.