How to store Proxmox Backup Server archives offsite in a Hetzner Storage Box
If you want a reliable copy of your Proxmox Backup Server archives (both VMs and containers) in a Hetzner Storage Box (or any other storage location that uses SFTP), the most robust and widely recommended approach is to:
- Backup locally to a PBS datastore
- Sync the PBS datastore to the Hetzner Storage Box using
rcloneover SFTP
This preserves backup integrity, supports incremental transfers, and is resilient to network interruptions. I explored other methods but rclone seemed the best for my use case.
Method Comparison
| Method | Reliability | Performance | Deduplication | Encryption |
|---|---|---|---|---|
| PBS → rclone → Storage Box | High | Good | Yes | Optional |
| PBS → SMB/CIFS mount → Storage Box | Medium | Poor | Yes | No |
| PBS → rsync → Storage Box | High | Good | Yes | Optional |
| Direct PBS remote backup | Low | Poor | Yes | No |
Why rclone?
- PBS stores backups in a special, deduplicated, chunked format. Directly backing up to remote mounts (like CIFS/SMB or NFS) can be unreliable and can result in performance issues or data corruption over WAN links.
- Hetzner Storage Box supports SFTP which is reliable and secure for offsite transfers and works well with
rclone. - Rclone is a mature tool that supports incremental sync, bandwidth limits, retries, file-name and hash-based deduplication, and can be automated easily.
Why Hetzner Storage Box?
- Hetzner Storage Box is a reliable, inexpensive solution for short-ish term storage. What do I mean by “short-ish”? Unlike long term storage solutions like Amazon S3 Glacier, a Storage Box is dynamically accessible at any time, but it’s not as performant as local block or object storage that you might use for application hosting.
- Hetzner Storage Box support multiple networking protocols - including SFTP - for put and get requests.
- Hetzner’s Datacenters (Germany and Finland) are outside the “Big Five” - in particular the United States - and more likely to protect your private data. (Either way, use encryption.)
Step-by-Step
1. Backup VMs/CTs to Local PBS Datastore
- Continue using PBS as your primary backup target for Proxmox VE.
2. Use Rclone to Sync PBS Archives to your Hetzner Storage Box
a. Configure your Hetzner Storage Box for SFTP Access
- In your Hetzner “robot” panel, enable SFTP access for your Storage Box and note the username, password, and SFTP port (usually 23).
b. Install and Configure Rclone on Your PBS Host
Install
rcloneif not already presentCreate an rclone config for your Hetzner Storage Box:
[hetzner] type = sftp host = uXXXXXX.your-storagebox.de user = uXXXXXX port = 23 key_file = /root/.ssh/id_rsa # Or use password_auth if preferred shell_type = unix md5sum_command = md5sum sha1sum_command = sha1sumTest the connection:
rclone ls hetzner:
This will list the files and directories at the root of your Storage Box. If you just set it up, it will be empty.
c. Sync your PBS Datastore to Hetzner
Use the following command to sync your PBS datastore (replace local and remote paths as needed):
rclone sync /mnt/datastore hetzner:/pbs-backups --fast-list --transfers 3 --checkers 6- Adjust
--transfersand--checkersto avoid hitting Hetzner’s connection limits (max 10 connections per subaccount). - Optional: Consider using rclone’s
cryptbackend for encryption if you want to encrypt backups before upload. PBS archives are already encrypted, so this is probably overkill.
- Adjust
d. Automate the Sync
- Add the rclone sync command to a cron job for regular offsite replication.
Using a bash Script
The above solution worked fine for me but I knew it could be more user friendly, so I consulted my friend Claude and came up with the requirements for a more refined solution:
Upload only changed files. No use wasting resources when the file is already stored remotely.
Remove expired files. Similar to the above, remove remote files that have been deleted locally. (Sync)
Upload only the correct files. This means only those ending with .pxar (Proxmox Archive Format), .img (disk images), .fidx (fixed index files), .didx (dynamic index files), and .blob (data blobs).
Check and fix permissions. If you’re running everything as root, sooner or later there will be problems. I created a user (rclone ) to run this process. Since the backup files are owned by root a script owned by rclone won’t be able to read and upload them without the correct permissions.
Send email. I want to know when a job has been successful or if it fails. Sure, I can check the log files, but how often will I do that? (Answer: not often enough). I send the email to my Pushover email address so that I can get notifications on my phone in real time.
After a couple of hours of back and forth with Claude I can say that this solution is working as intended.
You can find the most recent version of my Proxmox Backup Sync script here.
Requirements
- rclone (duh)
- An SMTP server. Make sure you have curl or msmtp installed if you’re not running your own mail server. It defaults to sendmail otherwise.
- An understanding of Linux file permissions
- A configured ssh key
Here are some examples of setting proper ownership and permissions for user rclone with the log files stored in the /home/rclone. Consult a more authoritative source for details on permissions.
# Ensure the rclone user can read the PBS datastore (Get coffee: this can take a while)
sudo chmod -R g+r /mnt/datastore/pve-datastore/
sudo find /mnt/datastore/pve-datastore/ -type d -exec chmod g+x {} \;
# Create and set ownership of log directory
sudo mkdir -p /home/rclone/pbs-rclone-sync # creates log directory
sudo chown rclone:rclone /home/rclone/pbs-rclone-sync # sets owner to rclone
sudo chmod 755 /home/rclone/pbs-rclone-sync # sets permissions for log directory
# Set ownership and permissions for the script
sudo chown rclone:rclone /home/rclone/proxmox-backup-sync.sh
sudo chmod 750 /home/rclone/proxmox-backup-sync.sh
# Ensure SSH key has proper ownership and permissions
sudo chown rclone:rclone /home/rclone/.ssh/id_rsa
sudo chmod 600 /home/rclone/.ssh/id_rsa
sudo chmod 700 /home/rclone/.ssh/
Automating the Script
Just like the simpler method above, we’re going to use cron to kick off this process every day.
Crontab Entry
My PBS backups run every morning at 02:30. This crontab entry runs the script every day at 23:00 - plenty of time to copy the previous day’s backups offsite before the next job kicks off:
23 0 * * * /home/rclone/remote/pbs/proxmox-backup-sync.sh >/dev/null 2>&1