[pbs-devel] [PATCH proxmox-backup 09/13] paperkey: add short key ID to subject

[Fabian Grünbichler]

On November 23, 2020 9:30 am, Dietmar Maurer wrote:
>> I originally wanted to keep the full fingerprint in, but conceded to 
>> your space arguments here and only included the short version.. I also 
>> don't really buy the confusion, since unless the user has manually 
>> looked inside the key file they don't even know that or how the 
>> fingerprint is stored there - in the user-facing parts we only ever show 
>> the short key ID. furthermore we already paperkey the pretty-printed 
>> version so if the user restores that the checksum of the keyfile is 
>> different anyhow.
> 
> Don't get that. You delete the fingerprint, so if a user restores that key
> he don't have a fingerprint to compare?

the short key ID is put into the subject now to make human matching of 
paperkey printouts and manifest/snapshot lists easier.

if the user restores the paperkey into a keyfile, anytime that keyfile 
is used it will re-generate the fingerprint on the fly. if the keyfile 
is modified (e.g. on passphrase/KDF change), the generated fingerprint 
will also be persisted again. we don't have a 'restore paperkey' command 
(yet), but if we ever do, that could of course also regenerate the full 
fingerprint and persist it on writing out the keyfile.