[pbs-devel] [PATCH proxmox-backup v7] fix #3854 paperkey import to proxmox-tape
Markus Frank
m.frank at proxmox.com
Thu Mar 24 12:49:30 CET 2022
added a parameter to the cli for importing tape key via a json-parameter or
via reading a exported paperkey-file or json-file.
For this i also added a backupkey parameter to the api, but here it only
accepts json.
The cli interprets the parameter first as json-string, then json-file
and last as paperkey-file.
functionality:
proxmox-tape key paperkey [fingerprint of existing key] > paperkey.backup
proxmox-tape key restore --backupkey paperkey.backup # key from line above
proxmox-tape key restore --backupkey paperkey.json # only the json
proxmox-tape key restore --backupkey '{"kdf": {"Scrypt": ...' # json as string
for importing the key as paperkey-file it is irrelevant, if the paperkey got exported as html
or txt.
Signed-off-by: Markus Frank <m.frank at proxmox.com>
---
Comments:
* I would disallow giving this functions both a drivename and a
backupkey, so that there is no confusion about the behavour.
version 7:
* moved to restore
* added json-parameter to cli
version 6:
* api: removed identical tuple-matching arms and returned to checking parameter-errors
earlier and adding hint if set afterwards
version 5:
* removed extract_text_between. I would say we can move it to a
public function if another component does a similar text-extraction.
* simplified text extraction
version 4:
* ParameterError::from to param_bail!
* when hint and paperkey-file used at the same time, old hint get overwritten
* added text in pbs-tools with function extract_text_between
version 3:
* ParameterError with method ParameterError::from
* changed --paperkey_file to --paperkey-file
version 2:
* added format_err! and ParameterError
* changed a few "ifs" to "match"
src/api2/tape/drive.rs | 65 +++++++++++++++++++-------
src/bin/proxmox_tape/encryption_key.rs | 59 +++++++++++++++++++++--
2 files changed, 102 insertions(+), 22 deletions(-)
diff --git a/src/api2/tape/drive.rs b/src/api2/tape/drive.rs
index 526743f6..c79688ff 100644
--- a/src/api2/tape/drive.rs
+++ b/src/api2/tape/drive.rs
@@ -10,7 +10,7 @@ use proxmox_sys::sortable;
use proxmox_router::{
list_subdirs_api_method, Permission, Router, RpcEnvironment, RpcEnvironmentType, SubdirMap,
};
-use proxmox_schema::api;
+use proxmox_schema::{api, param_bail};
use proxmox_section_config::SectionConfigData;
use proxmox_uuid::Uuid;
use proxmox_sys::{task_log, task_warn};
@@ -24,6 +24,8 @@ use pbs_api_types::{
use pbs_api_types::{PRIV_TAPE_AUDIT, PRIV_TAPE_READ, PRIV_TAPE_WRITE};
use pbs_config::CachedUserInfo;
+use pbs_config::key_config::KeyConfig;
+use pbs_config::tape_encryption_keys::insert_key;
use pbs_tape::{
BlockReadError,
sg_tape::tape_alert_flags_critical,
@@ -607,10 +609,18 @@ fn write_media_label(
properties: {
drive: {
schema: DRIVE_NAME_SCHEMA,
+ optional: true,
},
password: {
description: "Encryption key password.",
},
+ backupkey: {
+ description: "A previously exported paperkey in JSON format.",
+ type: String,
+ min_length: 300,
+ max_length: 600,
+ optional: true,
+ },
},
},
access: {
@@ -619,29 +629,48 @@ fn write_media_label(
)]
/// Try to restore a tape encryption key
pub async fn restore_key(
- drive: String,
+ drive: Option<String>,
password: String,
+ backupkey: Option<String>,
) -> Result<(), Error> {
- run_drive_blocking_task(
- drive.clone(),
- "restore key".to_string(),
- move |config| {
- let mut drive = open_drive(&config, &drive)?;
- let (_media_id, key_config) = drive.read_label()?;
+ if (drive.is_none() && backupkey.is_none()) || (drive.is_some() && backupkey.is_some()) {
+ param_bail!(
+ "drive",
+ format_err!("Please specify either a valid drive name or a backupkey")
+ );
+ }
- if let Some(key_config) = key_config {
- let password_fn = || { Ok(password.as_bytes().to_vec()) };
- let (key, ..) = key_config.decrypt(&password_fn)?;
- pbs_config::tape_encryption_keys::insert_key(key, key_config, true)?;
- } else {
- bail!("media does not contain any encryption key configuration");
+ if let Some(drive) = drive {
+ run_drive_blocking_task(
+ drive.clone(),
+ "restore key".to_string(),
+ move |config| {
+ let mut drive = open_drive(&config, &drive)?;
+
+ let (_media_id, key_config) = drive.read_label()?;
+
+ if let Some(key_config) = key_config {
+ let password_fn = || { Ok(password.as_bytes().to_vec()) };
+ let (key, ..) = key_config.decrypt(&password_fn)?;
+ insert_key(key, key_config, true)?;
+ } else {
+ bail!("media does not contain any encryption key configuration");
+ }
+
+ Ok(())
}
+ )
+ .await?;
+ }else if let Some(backupkey) = backupkey {
+ let key_config: KeyConfig =
+ serde_json::from_str(&backupkey).map_err(|err| format_err!("<errmsg>: {}", err))?;
+ let password_fn = || Ok(password.as_bytes().to_vec());
+ let (key, ..) = key_config.decrypt(&password_fn)?;
+ insert_key(key, key_config, false)?;
+ }
- Ok(())
- }
- )
- .await
+ Ok(())
}
#[api(
diff --git a/src/bin/proxmox_tape/encryption_key.rs b/src/bin/proxmox_tape/encryption_key.rs
index 71df9ffa..471a6349 100644
--- a/src/bin/proxmox_tape/encryption_key.rs
+++ b/src/bin/proxmox_tape/encryption_key.rs
@@ -1,8 +1,8 @@
-use anyhow::{bail, Error};
+use anyhow::{bail, format_err, Error};
use serde_json::Value;
use proxmox_router::{cli::*, ApiHandler, RpcEnvironment};
-use proxmox_schema::api;
+use proxmox_schema::{api, param_bail};
use proxmox_sys::linux::tty;
use pbs_api_types::{
@@ -12,6 +12,7 @@ use pbs_api_types::{
use pbs_datastore::paperkey::{PaperkeyFormat, generate_paper_key};
use pbs_config::tape_encryption_keys::{load_key_configs,complete_key_fingerprint};
+use pbs_config::key_config::KeyConfig;
use proxmox_backup::api2;
@@ -186,6 +187,9 @@ fn change_passphrase(
Ok(())
}
+pub const BEGIN_MARKER: &str = "-----BEGIN PROXMOX BACKUP KEY-----";
+pub const END_MARKER: &str = "-----END PROXMOX BACKUP KEY-----";
+
#[api(
input: {
properties: {
@@ -193,23 +197,70 @@ fn change_passphrase(
schema: DRIVE_NAME_SCHEMA,
optional: true,
},
+ "backupkey": {
+ description: "Importing a previously exported backupkey with either an exported paperkey-file, json-string or a json-file",
+ type: String,
+ optional: true,
+ },
},
},
)]
/// Restore encryption key from tape (read password from stdin)
async fn restore_key(
mut param: Value,
+ backupkey: Option<String>,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> {
let (config, _digest) = pbs_config::drive::config()?;
- param["drive"] = crate::extract_drive_name(&mut param, &config)?.into();
+
+ let drive = crate::extract_drive_name(&mut param, &config);
if !tty::stdin_isatty() {
bail!("no password input mechanism available");
}
- let password = tty::read_password("Tepe Encryption Key Password: ")?;
+ if (drive.is_err() && backupkey.is_none()) || (drive.is_ok() && backupkey.is_some()) {
+ param_bail!(
+ "drive",
+ format_err!("Please specify either a valid drive name or a backupkey")
+ );
+ }
+
+ if drive.is_ok() {
+ param["drive"] = drive.unwrap().into();
+ }
+
+ if let Some(backupkey) = backupkey {
+ if serde_json::from_str::<KeyConfig>(&backupkey).is_ok() {
+ // json as Parameter
+ println!("backupkey to import: {}", backupkey);
+ param["backupkey"] = backupkey.into();
+ } else {
+ println!("backupkey is not a valid json. Interpreting Parameter as a filename");
+ let data = proxmox_sys::fs::file_read_string(backupkey)?;
+ if serde_json::from_str::<KeyConfig>(&data).is_ok() {
+ // standalone json-file
+ println!("backupkey to import: {}", data);
+ param["backupkey"] = data.into();
+ } else {
+ // exported paperkey-file
+ let start = data
+ .find(BEGIN_MARKER)
+ .ok_or_else(|| format_err!("cannot find key start marker"))?
+ + BEGIN_MARKER.len();
+ let data_remain = &data[start..];
+ let end = data_remain
+ .find(END_MARKER)
+ .ok_or_else(|| format_err!("cannot find key end marker below start marker"))?;
+ let backupkey_extract = &data_remain[..end];
+ println!("backupkey to import: {}", backupkey_extract);
+ param["backupkey"] = backupkey_extract.into();
+ }
+ }
+ }
+
+ let password = tty::read_password("Tape Encryption Key Password: ")?;
param["password"] = String::from_utf8(password)?.into();
let info = &api2::tape::drive::API_METHOD_RESTORE_KEY;
--
2.30.2
More information about the pbs-devel
mailing list