[pve-devel] [PATCH qemu-server] vzdump: add master key support

Fri May 28 13:50:55 CEST 2021

On 08.02.21 14:08, Fabian Grünbichler wrote:
> running outdated VMs without master key support will generate a warning
> but proceed with a backup without encrypted key upload.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> 
> Notes:
>     requires libpve-storage-perl with master key support.
> 

needs a rebase

>  PVE/VZDump/QemuServer.pm | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 
> diff --git a/PVE/VZDump/QemuServer.pm b/PVE/VZDump/QemuServer.pm
> index b5e74d3..e3f785a 100644
> --- a/PVE/VZDump/QemuServer.pm
> +++ b/PVE/VZDump/QemuServer.pm
> @@ -485,6 +485,7 @@ sub archive_pbs {
>      my $repo = PVE::PBSClient::get_repository($scfg);
>      my $password = PVE::Storage::PBSPlugin::pbs_get_password($scfg, $opts->{storage});
>      my $keyfile = PVE::Storage::PBSPlugin::pbs_encryption_key_file_name($scfg, $opts->{storage});
> +    my $master_keyfile = PVE::Storage::PBSPlugin::pbs_master_pubkey_file_name($scfg, $opts->{storage});
>  
>      my $diskcount = scalar(@{$task->{disks}});
>      # proxmox-backup-client can only handle raw files and block devs
> @@ -533,6 +534,12 @@ sub archive_pbs {
>  	      . "sure you've installed the latest version and the VM has been restarted.\n";
>  	}
>  
> +	if (!defined($qemu_support->{"pbs-masterkey"}) && -e $master_keyfile) {
> +	    $self->loginfo("WARNING: backup target is configured with master key, but running QEMU version does not support master keys.");
> +	    $self->loginfo("Please make sure you've installed the latest version and the VM has been restarted to use master key feature.");
> +	    $master_keyfile = undef; # skip rest of master key handling below
> +	}
> +
>  	my $fs_frozen = $self->qga_fs_freeze($task, $vmid);
>  
>  	my $params = {
> @@ -551,7 +558,13 @@ sub archive_pbs {
>  	    $self->loginfo("enabling encryption");
>  	    $params->{keyfile} = $keyfile;
>  	    $params->{encrypt} = JSON::true;
> +	    if (defined($master_keyfile) && -e $master_keyfile) {
> +		$self->loginfo("enabling master key feature");
> +		$params->{"master-keyfile"} = $master_keyfile;
> +	    }
>  	} else {
> +	    $self->loginfo("WARNING: backup target is configured with master key, but this backup is not encrypted - master key settings will be ignored!")
> +		if defined($master_keyfile) && -e $master_keyfile;
>  	    $params->{encrypt} = JSON::false;
>  	}
>  
>