[pbs-devel] [PATCH proxmox-backup 4/4] fix #7219: client: mount: align encryption key loading behavior
Daniel Herzig
d.herzig at proxmox.com
Fri Jan 9 13:33:24 CET 2026
Thanks -- I just gave this a quick spin and works as expected here (no
need to pass the default key location anymore).
Tested-by: Daniel Herzig <d.herzig at proxmox.com>
On 1/8/26 4:25 PM, Christian Ebner wrote:
> The mount subcommand currently does not load the encrypton key from
> the default key location, requiring to explicitley set the `keyfile`
> parameter on command invocation.
>
> Align the behaviour to the rest of the client commands by using the
> pbs_client::tools::key_source::crypto_parameters helper to load the
> key instead.
>
> The same current behaviour for the benchmark command is not touched,
> as there loading the encryption key should always be conrolled by
> explicitley setting it, to avoid possible pitfalls.
>
> Fixes: https://bugzilla.proxmox.com/show_bug.cgi?id=7219
> Signed-off-by: Christian Ebner <c.ebner at proxmox.com>
> ---
> proxmox-backup-client/src/mount.rs | 24 ++++++++++++++----------
> 1 file changed, 14 insertions(+), 10 deletions(-)
>
> diff --git a/proxmox-backup-client/src/mount.rs b/proxmox-backup-client/src/mount.rs
> index fa3385597..e815c8a9c 100644
> --- a/proxmox-backup-client/src/mount.rs
> +++ b/proxmox-backup-client/src/mount.rs
> @@ -2,7 +2,7 @@ use std::collections::HashMap;
> use std::ffi::OsStr;
> use std::hash::BuildHasher;
> use std::os::unix::io::{AsRawFd, OwnedFd};
> -use std::path::{Path, PathBuf};
> +use std::path::Path;
> use std::sync::Arc;
>
> use anyhow::{bail, format_err, Error};
> @@ -18,11 +18,13 @@ use proxmox_schema::*;
> use proxmox_sortable_macro::sortable;
>
> use pbs_api_types::{ArchiveType, BackupArchiveName, BackupNamespace};
> -use pbs_client::tools::key_source::get_encryption_key_password;
> +use pbs_client::tools::key_source::{
> + crypto_parameters, format_key_source, get_encryption_key_password,
> +};
> use pbs_client::{BackupReader, RemoteChunkReader};
> use pbs_datastore::cached_chunk_reader::CachedChunkReader;
> use pbs_datastore::index::IndexFile;
> -use pbs_key_config::load_and_decrypt_key;
> +use pbs_key_config::decrypt_key;
> use pbs_tools::crypt_config::CryptConfig;
> use pbs_tools::json::required_string_param;
>
> @@ -208,14 +210,16 @@ async fn mount_do(param: Value, pipe: Option<OwnedFd>) -> Result<Value, Error> {
> let path = required_string_param(¶m, "snapshot")?;
> let backup_dir = dir_or_last_from_group(&client, &repo, &backup_ns, path).await?;
>
> - let keyfile = param["keyfile"].as_str().map(PathBuf::from);
> - let crypt_config = match keyfile {
> + let crypto = crypto_parameters(¶m)?;
> +
> + let crypt_config = match crypto.enc_key {
> None => None,
> - Some(path) => {
> - log::info!("Encryption key file: '{:?}'", path);
> - let (key, _, fingerprint) = load_and_decrypt_key(&path, &get_encryption_key_password)?;
> - log::info!("Encryption key fingerprint: '{}'", fingerprint);
> - Some(Arc::new(CryptConfig::new(key)?))
> + Some(key) => {
> + log::info!("{}", format_key_source(&key.source, "encryption"));
> + let (key, _created, fingerprint) = decrypt_key(&key.key, &get_encryption_key_password)?;
> + log::info!("Encryption key fingerprint: '{fingerprint}'");
> + let crypt_config = CryptConfig::new(key)?;
> + Some(Arc::new(crypt_config))
> }
> };
>
More information about the pbs-devel
mailing list