From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 1/3] paperkey: allow RSA keys without passphrase
Date: Mon, 1 Feb 2021 14:06:16 +0100 [thread overview]
Message-ID: <20210201130618.800923-1-f.gruenbichler@proxmox.com> (raw)
some users might want to store the plain version of their master key for
long-term storage and rely on physical security instead of a passphrase
to protect the paper key.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
Notes:
our tooling does not create passphrase-less master keys, so this needs a
conscious step by the user to remove the set passphrase anyway..
src/tools/paperkey.rs | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/src/tools/paperkey.rs b/src/tools/paperkey.rs
index 030275cc..859e8aed 100644
--- a/src/tools/paperkey.rs
+++ b/src/tools/paperkey.rs
@@ -30,8 +30,16 @@ pub fn generate_paper_key<W: Write>(
subject: Option<String>,
output_format: Option<PaperkeyFormat>,
) -> Result<(), Error> {
+ let (data, is_master_key) = if data.starts_with("-----BEGIN ENCRYPTED PRIVATE KEY-----\n")
+ || data.starts_with("-----BEGIN RSA PRIVATE KEY-----\n")
+ {
+ let data = data.trim_end();
+ if !(data.ends_with("\n-----END ENCRYPTED PRIVATE KEY-----")
+ || data.ends_with("\n-----END RSA PRIVATE KEY-----"))
+ {
+ bail!("unexpected key format");
+ }
- let (data, is_private_key) = if data.starts_with("-----BEGIN ENCRYPTED PRIVATE KEY-----\n") {
let lines: Vec<String> = data
.lines()
.map(|s| s.trim_end())
@@ -39,10 +47,6 @@ pub fn generate_paper_key<W: Write>(
.map(String::from)
.collect();
- if !lines[lines.len()-1].starts_with("-----END ENCRYPTED PRIVATE KEY-----") {
- bail!("unexpected key format");
- }
-
if lines.len() < 20 {
bail!("unexpected key format");
}
@@ -68,8 +72,8 @@ pub fn generate_paper_key<W: Write>(
let format = output_format.unwrap_or(PaperkeyFormat::Html);
match format {
- PaperkeyFormat::Html => paperkey_html(output, &data, subject, is_private_key),
- PaperkeyFormat::Text => paperkey_text(output, &data, subject, is_private_key),
+ PaperkeyFormat::Html => paperkey_html(output, &data, subject, is_master_key),
+ PaperkeyFormat::Text => paperkey_text(output, &data, subject, is_master_key),
}
}
@@ -77,7 +81,7 @@ fn paperkey_html<W: Write>(
mut output: W,
lines: &[String],
subject: Option<String>,
- is_private: bool,
+ is_master: bool,
) -> Result<(), Error> {
let img_size_pt = 500;
@@ -107,7 +111,7 @@ fn paperkey_html<W: Write>(
writeln!(output, "<p>Subject: {}</p>", subject)?;
}
- if is_private {
+ if is_master {
const BLOCK_SIZE: usize = 20;
let blocks = (lines.len() + BLOCK_SIZE -1)/BLOCK_SIZE;
--
2.20.1
next reply other threads:[~2021-02-01 13:06 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-01 13:06 Fabian Grünbichler [this message]
2021-02-01 13:06 ` [pbs-devel] [PATCH proxmox-backup 2/3] paperkey: simplify block generation Fabian Grünbichler
2021-02-01 13:06 ` [pbs-devel] [PATCH proxmox-backup 3/3] paperkey: rustfmt Fabian Grünbichler
2021-02-01 16:05 ` [pbs-devel] applied: [PATCH proxmox-backup 1/3] paperkey: allow RSA keys without passphrase Dietmar Maurer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210201130618.800923-1-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.