pbs_tape_key_create
Create a PBS tape encryption key to protect tape backups. Requires a password; use the resulting fingerprint to assign to a tape pool for encrypting future writes.
Instructions
MUTATION: create a PBS tape encryption key.
RISK_MEDIUM: creates a credential controlling future tape access. SECRET CONTRACT: key/
password are NEVER written to the audit ledger or returned in the dry-run PLAN — they are
forwarded RAW only to the real PBS API on confirm=True (the create must actually work).
confirm=True executes (POST /config/tape-encryption-keys, synchronous) and returns
{"status": "ok", "result": ""} — the fingerprint is NOT secret, safe to
record; assign it to a pool's encrypt field with pbs_tape_pool_create/pbs_tape_pool_update
to actually encrypt future tape writes. Needs PROXIMO_PBS_* config.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| kdf | No | Key derivation function: 'none', 'scrypt' (default), or 'pbkdf2'. | |
| key | No | Optional: restore/re-create a key from this exported JSON string (300-600 chars) instead of generating a new one. | |
| hint | No | Optional password hint (no control characters, 1-64 chars). | |
| confirm | No | False (default) returns a dry-run PLAN only; True executes the creation. | |
| password | Yes | A secret password protecting the new key (min 5 chars). REQUIRED. | |
| proximo_target | No | Which configured Proxmox target to run this call against — a target name from your multi-target config (a specific PVE/PBS/PMG/PDM box). Omit to use the single/default target from the environment; the selection applies only to this call. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |