[pbs-devel] [PATCH proxmox-backup 09/13] paperkey: add short key ID to subject

Fabian Grünbichler f.gruenbichler at proxmox.com
Mon Nov 23 09:47:49 CET 2020


On November 23, 2020 9:30 am, Dietmar Maurer wrote:
>> I originally wanted to keep the full fingerprint in, but conceded to 
>> your space arguments here and only included the short version.. I also 
>> don't really buy the confusion, since unless the user has manually 
>> looked inside the key file they don't even know that or how the 
>> fingerprint is stored there - in the user-facing parts we only ever show 
>> the short key ID. furthermore we already paperkey the pretty-printed 
>> version so if the user restores that the checksum of the keyfile is 
>> different anyhow.
> 
> Don't get that. You delete the fingerprint, so if a user restores that key
> he don't have a fingerprint to compare?

the short key ID is put into the subject now to make human matching of 
paperkey printouts and manifest/snapshot lists easier.

if the user restores the paperkey into a keyfile, anytime that keyfile 
is used it will re-generate the fingerprint on the fly. if the keyfile 
is modified (e.g. on passphrase/KDF change), the generated fingerprint 
will also be persisted again. we don't have a 'restore paperkey' command 
(yet), but if we ever do, that could of course also regenerate the full 
fingerprint and persist it on writing out the keyfile.





More information about the pbs-devel mailing list