[pve-devel] [PATCH-SERIES 0/4] PBS master key integration
f.ebner at proxmox.com
Wed May 12 11:54:53 CEST 2021
Am 08.02.21 um 14:08 schrieb Fabian Grünbichler:
> this series enables master key integration for PVE->PBS, by allowing the
> configuration of a per-storage master key which is used for (encrypted)
> VM and CT backups.
> while the diffs are small, the following bumps/dependencies/.. are required:
> proxmox-backup needs a bump (commits from other series)
> pve-storage needs a bump + a versioned-dep on proxmox-backup-client (new
> CLI parameters)
> qemu-server needs a versioned-dependency on bumped pve-storage (new
> storage plugin methods)
> qemu needs a bump + a versioned-dependency (build + RT) on
> libproxmox-backup-qemu (API change)
> libproxmox-backup-qemu needs a bump + breaks on pre-bump qemu (API
> it might make sense to queue the libproxmox-backup-qemu and
> proxmox-backup bumps together (the former directly references git of the
> latter at the moment, instead of a tag).
> pve-devel mailing list
> pve-devel at lists.proxmox.com
Tried out the series and works as advertised. Test log with a few nits
(one of them not even about this series, but the PBS docs):
For the storage parameter in the man page:
--master-pubkey a file containing a PEM-formatted master public key
Base64-encoded, PEM-formatted public RSA key. Used tp encrypt a
copy of the encryption-key which will be added to each encrypted backup.
The description might be confusing, as one might wrongly think the file
has to be base64 encoded. Also, there's a typo: "Used tp encrypt".
Tested storage adding/update/removal with master-pubkey. The update hook
does not check if there's an encryption key, but the add hook does.
Maybe we can also check that the file's contents are actually a PEM
Tested backup+restore of a VM, with
1) downgraded pve-qemu-kvm=5.1.0-8 libproxmox-backup-qemu0=1.0.2-1
2) storage with master-pubkey but no encryption key
Warnings show up in the log and master key is not used as expected.
Tested backup+restore of a VM and a CT with correctly configured
storage, also worked as expected.
Removed the encryption key on the storage, restore fails.
Restored the key from the backup with a master key as described in the
PBS docs. Well, except for using '--kdf none' in the command below, so I
could actually upload the keyfile to the storage again without running
into an "Error: no password input mechanism available". From the PBS docs:
6. Then, use the previously generated master key to decrypt the file:
# proxmox-backup-client key import-with-master-key /path/to/target
--master-keyfile /path/to/master-private.pem --encrypted-keyfile
7. The target file will now contain the encryption key information in
plain text. The success of this can be confirmed by passing the
resulting json file, with the --keyfile parameter, when decrypting files
from the backup.
Maybe we should mention something about the kdf, as the "file will now
contain the encryption key information in plain text" is a bit
misleading. Technically true, the information about the key is in plain
text, but not the key itself ;)
Now, restoring worked again. Also recovered the key from the CT backup
and checked that it matched.
More information about the pve-devel