From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: pbs-devel@lists.proxmox.com, Christian Ebner <c.ebner@proxmox.com>
Subject: applied: [PATCH proxmox{,-backup} v5 00/30] fix #7251: implement server side encryption support for push sync jobs
Date: Fri, 24 Apr 2026 00:38:10 +0200 [thread overview]
Message-ID: <177698386724.726567.13658777666523962267.b4-ty@b4> (raw)
In-Reply-To: <20260420161533.1055484-1-c.ebner@proxmox.com>
On Mon, 20 Apr 2026 18:15:03 +0200, Christian Ebner wrote:
> This patch series implements support for encrypting backup snapshots
> when pushing from a source PBS instance to an untrusted remote target
> PBS instance. Further, it adds support to decrypt snapshots being
> encrypted on the remote source PBS when pulling the contents to the
> local target PBS instance. This allows to perform full server side
> encryption/decryption when syncing with a less trusted remote PBS.
>
> [...]
NOTE: I applied the **v5** you had on the staff repo with some fixes from
offlist discussion, but I figured it still made sense to reply here as applied
for the sake of tracking and having a record here, thanks!
I also made a few selected follow-up changes that I squashed in, I annotated
the commits where I did for transparency. Should I overlooked something please
just holler at me and I'll take a look to fix this again.
Oh, and very nice work! FWIW, I did e2e test relatively late in the series and
mostly just a few nits with the UI, which is rather rare.
[01/28] sync: push: use tracing macros instead of log
(no commit info)
[02/28] datastore: blob: implement async reader for data blobs
commit: e929be4d7f3672e8b1167fdc3439b98b0ff6f299
[03/28] datastore: manifest: add helper for change detection fingerprint
commit: 87a819311a43a293ae8b75c2ef5056da9a4a23ab
[04/28] pbs-key-config: introduce store_with() for KeyConfig
commit: 55f66ba2eccfc40abcb7a0e8f993367e86c3b79f
[05/28] pbs-config: implement encryption key config handling
commit: a78dd6f221abd4a7dcfddba100aefe3513e0f76e
[06/28] pbs-config: acls: add 'encryption-keys' as valid 'system' subpath
commit: 0511b092d83221a22234530f9005668570b61d0a
[07/28] ui: expose 'encryption-keys' as acl subpath for 'system'
commit: 94d1b50b8ca4cc8f8db61b5428d2f5d855766673
[08/28] sync: add helper to check encryption key acls and load key
commit: e303c9f275f0da83cf37675bbcb252480fd954f2
[09/28] api: config: add endpoints for encryption key manipulation
commit: 8e0af7302f6942e092dbfd128d9ecd7a09afe103
[10/28] api: config: check sync owner has access to en-/decryption keys
commit: 4de98e18629873956bccd1d3420c3507efedc4f8
[11/28] api: config: allow encryption key manipulation for sync job
commit: bd30281d4f5fd87c4f317c8ce6503fdc2d7d68fb
[12/28] sync: push: rewrite manifest instead of pushing pre-existing one
commit: e79c5b693af491d79754d8202d94214876c2aabb
[13/28] api: push sync: expose optional encryption key for push sync
commit: 017367f0e95903df53897d434c0246269343db34
[14/28] sync: push: optionally encrypt data blob on upload
commit: 43392b2f337d05b989d96d64191eaff91476a903
[15/28] sync: push: optionally encrypt client log on upload if key is given
commit: d5d32af287673ed1781445b7261f6879ca78cf91
[16/28] sync: push: add helper for loading known chunks from previous snapshot
commit: 0f4222a68dc54ce128a8ab7438803c84448e38e5
[17/28] fix #7251: api: push: encrypt snapshots using configured encryption key
commit: eed12fb0e78899beea45016d4e215a7a75ca0e58
[18/28] ui: define and expose encryption key management menu item and windows
commit: d4725c6002227c3587b74790a951cba394f238b0
[19/28] ui: expose assigning encryption key to sync jobs
commit: 8c12731a1259b3531c2b3011fdb25381c2059e82
[20/28] sync: pull: load encryption key if given in job config
commit: 0bdb658a5f8a199b32edbe7bf7929ee5112625bb
[21/28] sync: expand source chunk reader trait by crypt config
commit: 6949158306c163159e073e63cb223ead9a072145
[22/28] sync: pull: introduce and use decrypt index writer if crypt config
commit: ad4e3caa6b2b96ddd661fb4efd7516a9555d1aad
[23/28] sync: pull: extend encountered chunk by optional decrypted digest
commit: 23e79689671c9432a70fbedc3e09488834be4e03
[24/28] sync: pull: decrypt blob files on pull if encryption key is configured
commit: 2f94320db105d255387e1de4254c42c5c7b62fae
[25/28] sync: pull: decrypt chunks and rewrite index file for matching key
commit: 18327080fb4333fb03d245f1e62b4c61090c12ff
[26/28] sync: pull: decrypt snapshots with matching encryption key fingerprint
commit: 8d389d42313aafdc59f47f1f86dee7c156835691
[27/28] api: encryption keys: allow to toggle the archived state for keys
commit: 4bb90f6e00f3b6097bd4ce425766060448c28c42
[28/28] docs: add section describing server side encryption for sync jobs
commit: 809c769493e3d8c0b6a18d006e467ee9e36aa30f
prev parent reply other threads:[~2026-04-23 22:44 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-20 16:15 [PATCH proxmox{,-backup} v4 00/30] fix #7251: implement server side encryption support for push sync jobs Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox v4 01/30] pbs-api-types: define en-/decryption key type and schema Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox v4 02/30] pbs-api-types: sync job: add optional cryptographic keys to config Christian Ebner
2026-04-22 15:18 ` Michael Köppl
2026-04-22 15:25 ` Christian Ebner
2026-04-22 15:29 ` Michael Köppl
2026-04-20 16:15 ` [PATCH proxmox-backup v4 03/30] sync: push: use tracing macros instead of log Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 04/30] datastore: blob: implement async reader for data blobs Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 05/30] datastore: manifest: add helper for change detection fingerprint Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 06/30] pbs-key-config: introduce store_with() for KeyConfig Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 07/30] pbs-config: implement encryption key config handling Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 08/30] pbs-config: acls: add 'encryption-keys' as valid 'system' subpath Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 09/30] ui: expose 'encryption-keys' as acl subpath for 'system' Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 10/30] sync: add helper to check encryption key acls and load key Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 11/30] api: config: add endpoints for encryption key manipulation Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 12/30] api: config: check sync owner has access to en-/decryption keys Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 13/30] api: config: allow encryption key manipulation for sync job Christian Ebner
2026-04-22 15:18 ` Michael Köppl
2026-04-22 15:28 ` Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 14/30] sync: push: rewrite manifest instead of pushing pre-existing one Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 15/30] api: push sync: expose optional encryption key for push sync Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 16/30] sync: push: optionally encrypt data blob on upload Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 17/30] sync: push: optionally encrypt client log on upload if key is given Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 18/30] sync: push: add helper for loading known chunks from previous snapshot Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 19/30] fix #7251: api: push: encrypt snapshots using configured encryption key Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 20/30] ui: define and expose encryption key management menu item and windows Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 21/30] ui: expose assigning encryption key to sync jobs Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 22/30] sync: pull: load encryption key if given in job config Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 23/30] sync: expand source chunk reader trait by crypt config Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 24/30] sync: pull: introduce and use decrypt index writer if " Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 25/30] sync: pull: extend encountered chunk by optional decrypted digest Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 26/30] sync: pull: decrypt blob files on pull if encryption key is configured Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 27/30] sync: pull: decrypt chunks and rewrite index file for matching key Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 28/30] sync: pull: decrypt snapshots with matching encryption key fingerprint Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 29/30] api: encryption keys: allow to toggle the archived state for keys Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 30/30] docs: add section describing server side encryption for sync jobs Christian Ebner
2026-04-23 22:38 ` Thomas Lamprecht [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=177698386724.726567.13658777666523962267.b4-ty@b4 \
--to=t.lamprecht@proxmox.com \
--cc=c.ebner@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.