From 5a499f328154006631ac33e61a855978fe35101e Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Tue, 3 Dec 2019 15:23:24 +0100
Subject: [PATCH] docs/administration-guide.rst: add encryption section

---
 docs/administration-guide.rst | 31 +++++++++++++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

diff --git a/docs/administration-guide.rst b/docs/administration-guide.rst
index ebddaf6d..c2d9ef56 100644
--- a/docs/administration-guide.rst
+++ b/docs/administration-guide.rst
@@ -276,11 +276,38 @@ device:
   # proxmox-backup-client backup mydata.img:/dev/mylvm/mydata
 
 
-
-
 Encryption
 ^^^^^^^^^^
 
+Proxmox backup support client side encryption using AES-256 in GCM_
+mode. You first need to create an encryption key in order to use that:
+
+.. code-block:: console
+
+  # proxmox-backup-client key create my-backup.key
+  Encryption Key Password: **************
+
+The key is password protected by default. If you do not need this
+extra protection, you can also create it without a password:
+
+.. code-block:: console
+
+  # proxmox-backup-client key create /path/to/my-backup.key --kdf  none
+
+
+.. code-block:: console
+
+  # proxmox-backup-client backup etc.pxar:/etc --keyfile /path/to/my-backup.key
+  Password: *********
+  Encryption Key Password: **************
+  ...
+
+
+You can avoid having to enter the passwords by setting the environment
+variables ``PBS_PASSWORD`` and ``PBS_ENCRYPTION_PASSWORD``.
+
+.. todo:: Explain master-key
+
 
 Restoring Data
 ~~~~~~~~~~~~~~