Every IT team running Proxmox VE knows they need to back up their VMs. Fewer have a backup strategy they would stake their job on if a full recovery were required at 3 AM. The difference between a backup that exists and a backup that works comes down to practices that extend well beyond configuring a job and walking away — retention policies designed for actual RPO requirements, verification that runs on schedule rather than on trust, pruning that is paired with garbage collection, and recovery testing that happens before an incident requires it.
This guide covers the full proxmox backup and restore lifecycle: how to design retention policies, how backup scheduling maps to RPO requirements, how PBS verify jobs work, how proxmox backup prune and GC interact, what immutable backup adds to ransomware protection, and how compliance requirements shape backup architecture. Whether you are building a new strategy or auditing an existing one, this is the complete framework.
See How Zmanda Pro Protects Proxmox
Start with Recovery Requirements, Not Backup Settings
Most backup strategies are designed backwards — they start with “what can I back up?” instead of “what do I need to recover?” The right starting point is two metrics that every IT team should have documented before touching a backup schedule:
- RTO (Recovery Time Objective): How long can the business tolerate a specific system being unavailable? Minutes for the authentication server; hours for an internal wiki. Define this per workload category, not as a single number for the entire environment.
- RPO (Recovery Point Objective): How much data loss is acceptable? Daily backup = up to 24 hours of data loss is tolerable. Hourly backup = up to 1 hour. The answer determines backup frequency.
Once RTO and RPO are defined per workload tier, every backup configuration decision, schedule frequency, retention depth, storage location, and verification frequency has a clear answer derived from the requirement rather than from what happens to be convenient to configure.
Proxmox Backup Retention Policy: How to Design It
Proxmox Backup Server retention is configured using five parameters that can be combined:
keep-last N— keep the N most recent backups regardless of timingkeep-daily N— keep one backup per day for N dayskeep-weekly N— keep one backup per week for N weekskeep-monthly N— keep one backup per month for N monthskeep-yearly N— keep one backup per year for N years
These settings apply independently. PBS applies retention logic when a prune job runs, not at backup ingestion time. A backup is retained if it satisfies any of the configured keep rules.
| Environment Type | Keep Daily | Keep Weekly | Keep Monthly | Keep Yearly |
|---|---|---|---|---|
| Development / Lab | 3 | 1 | — | — |
| Small Production | 7 | 4 | 3 | — |
| Mid Enterprise | 14 | 8 | 6 | 1 |
| Compliance (HIPAA / PCI / SOC 2) | 30 | 52 | 12 | 7 |
Compliance environments have legally mandated retention windows. HIPAA requires 6 years of retention for certain record types. PCI DSS requires 1 year of audit log retention. SOC 2 auditors look for documented retention policies with evidence of enforcement. These requirements must be built into the retention configuration — not maintained manually.
Backup Scheduling: Matching Frequency to RPO
Backup schedule frequency must map directly to the RPO for each workload tier. A single cron schedule for all VMs ignores the fact that a database server and a dev environment have fundamentally different recovery requirements.
| Workload Tier | Schedule | Mode | RPO |
|---|---|---|---|
| Critical (DB, auth, core infra) | Multiple daily (every 4–6 hours) | Snapshot + guest agent | 4–6 hours |
| Standard production | Daily at 2:00 AM | Snapshot + guest agent | 24 hours |
| Non-critical / internal tools | Daily or every 2 days | Snapshot | 24–48 hours |
| Dev / test | Weekly | Stop or snapshot | 1 week |
Stagger backup start times across VM tiers to prevent simultaneous I/O spikes. A practical rule: offset each backup job by 5–10 minutes. Fifty VMs all starting backups at 2:00 AM creates a storage I/O spike that degrades both backup completion time and production VM performance during the window.
Proxmox Verify Backup: Why Verification Is Non-Negotiable
A backup that has never been verified is an assumption. Bit rot, silent disk corruption, incomplete writes, and chunk index inconsistencies can all create backups that look valid in the job log but fail on restore. PBS verify jobs address this without requiring a full restore.
PBS verify jobs read every chunk in the specified backups and confirm that chunk hashes match the stored index. This detects data corruption at the storage level and incomplete backups. What verify jobs do not do: simulate an application-level restore. They confirm data integrity at the chunk level — not that the restored VM will boot and serve traffic correctly.
Three levels of verification, scheduled in parallel:
- PBS Verify Job (weekly minimum): Chunk integrity validation — fast, automated. Schedule under Datastore → Verify Jobs → Add. Enable “Re-verify outdated snapshots” to catch backups not checked in the current period.
- Test restore to isolated VM (monthly minimum): Restore a backup to a separate VMID, boot the VM, verify application health. This confirms actual recoverability — not just chunk integrity.
- Full DR drill (quarterly minimum): Simulate a full recovery scenario — node failure, storage failure, or ransomware — against your documented recovery runbook. Measures actual RTO against stated requirements.
Proxmox Backup Prune and Garbage Collection: How They Work Together
Two distinct operations manage storage reclamation in PBS, and both must run for storage to actually be freed:
- Prune job: Identifies backup snapshots that fall outside the retention policy and marks them as deletable. Running prune alone does not free disk space.
- Garbage collection (GC) job: Walks the entire chunk store, identifies chunks that are no longer referenced by any backup snapshot, and physically deletes them. GC is what actually frees storage.
The practical consequence: schedule prune and GC as a sequence, not independently. A common misconfiguration is scheduling prune without scheduling GC — administrators then report that storage is not freeing up despite configured retention. The fix is simply running GC after prune completes.
Recommended schedule: prune job nightly at 3:00 AM (after backup jobs complete), GC job nightly at 4:00 AM or weekly at the weekend. For large datastores (20 TB+), weekly GC reduces the resource impact on PBS hardware during the backup window.
Immutable Backup: The Layer That Survives Ransomware
The most significant gap in a standard Proxmox backup strategy is mutable backup storage. Backups stored on NFS, local disk, or SMB shares can be deleted or encrypted by ransomware that compromises either the Proxmox host or the backup network. This is not hypothetical — modern ransomware specifically targets backup infrastructure to eliminate recovery options before the main payload runs.
Immutable backups — also called WORM (Write Once, Read Many) — cannot be modified or deleted for a defined retention period, even by an administrator with full credentials. Two mechanisms are available in the Proxmox ecosystem:
- S3 Object Lock: Configure an S3-compatible bucket (Wasabi, AWS S3) with Object Lock enabled. Backups synced to this bucket via PBS sync jobs are protected against deletion for the lock duration — even by the account that created them in Governance mode; even by Wasabi/AWS support in Compliance mode.
- ZFS snapshots on the PBS datastore: Scheduled ZFS snapshots of the PBS datastore pool provide a local immutability layer. Ransomware that deletes backup files in the filesystem cannot remove ZFS snapshots taken before the attack.
For HIPAA, PCI DSS, and SEC-regulated environments, immutable backup is effectively mandatory. Zmanda Pro supports WORM-compatible immutable storage with Object Lock integration natively, with compliance reporting that documents immutability status per backup for auditors. See the full 3-2-1 backup rule for where immutable offsite copies fit in a complete backup architecture.
See what enterprise Proxmox backup looks like beyond native tools
Proxmox Backup Best Practices: Complete Checklist
The complete proxmox backup best practice checklist for production environments:
- Define RTO and RPO per workload tier before configuring backup schedules
- Use snapshot mode with QEMU guest agent for all production VMs
- Configure tiered retention policies — daily, weekly, monthly, yearly as required
- Schedule prune jobs nightly and GC jobs immediately after prune
- Run PBS verify jobs weekly at minimum — automate, do not rely on manual checks
- Perform monthly restore tests to isolated VMs and verify application health
- Follow 3-2-1: local backup + secondary storage (NAS/PBS) + offsite cloud copy
- Enable immutable backup for ransomware protection and compliance
- Encrypt backups in transit and at rest — PBS supports client-side AES encryption
- Restrict backup storage network access — separate credentials from production
- Alert on backup failures — do not rely on manual log review for failure detection
- Document and test your DR runbook at minimum quarterly
For the full technical reference on Proxmox backup architecture, the complete Proxmox Backup Server guide covers every layer.
For enterprise teams that need centralized compliance reporting, automated alerting, and immutable storage without building custom tooling around PBS, Zmanda Pro provides the management layer that PBS does not.



