pbs_encryption_key_create
Create a Proxmox Backup Server client encryption key by specifying a key_id and optionally providing key material; use confirm=True to execute.
Instructions
MUTATION: create a PBS client encryption key.
RISK_MEDIUM: creates a credential controlling future client-side encryption capability.
SECRET CONTRACT: key (if given) is NEVER written to the audit ledger or the dry-run PLAN —
forwarded RAW only to the real PBS API on confirm=True. SCHEMA QUIRK: this endpoint returns
null — unlike the tape-encryption-keys plane, NO fingerprint comes back; check
pbs_encryption_key_list afterward for the assigned fingerprint/hint/kdf, if any. confirm=True
executes (POST /config/encryption-keys, synchronous) and returns
{"status": "ok", "result": None}. Needs PROXIMO_PBS_* config.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| key | No | Optional: import this key material instead of having PBS generate a fresh one. No length bound (unlike the tape-encryption-keys plane's 300-600 char requirement). | |
| key_id | Yes | New encryption key id (3-32 chars, alnum/underscore start, then alnum/./_/-). CALLER-CHOSEN — PBS does not generate it. | |
| confirm | No | False (default) returns a dry-run PLAN only; True executes the creation. | |
| proximo_target | No | Which configured Proxmox target to run this call against — a target name from your multi-target config (a specific PVE/PBS/PMG/PDM box). Omit to use the single/default target from the environment; the selection applies only to this call. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |