From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id CDCE81FF13D
	for <inbox@lore.proxmox.com>; Thu, 08 Jan 2026 16:25:42 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 352D227F7E;
	Thu,  8 Jan 2026 16:25:42 +0100 (CET)
From: Christian Ebner <c.ebner@proxmox.com>
To: pbs-devel@lists.proxmox.com
Date: Thu,  8 Jan 2026 16:25:20 +0100
Message-ID: <20260108152520.783200-5-c.ebner@proxmox.com>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20260108152520.783200-1-c.ebner@proxmox.com>
References: <20260108152520.783200-1-c.ebner@proxmox.com>
MIME-Version: 1.0
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1767885900581
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.047 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: [pbs-devel] [PATCH proxmox-backup 4/4] fix #7219: client: mount:
 align encryption key loading behavior
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox Backup Server development discussion
 <pbs-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pbs-devel-bounces@lists.proxmox.com
Sender: "pbs-devel" <pbs-devel-bounces@lists.proxmox.com>

The mount subcommand currently does not load the encrypton key from
the default key location, requiring to explicitley set the `keyfile`
parameter on command invocation.

Align the behaviour to the rest of the client commands by using the
pbs_client::tools::key_source::crypto_parameters helper to load the
key instead.

The same current behaviour for the benchmark command is not touched,
as there loading the encryption key should always be conrolled by
explicitley setting it, to avoid possible pitfalls.

Fixes: https://bugzilla.proxmox.com/show_bug.cgi?id=7219
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
 proxmox-backup-client/src/mount.rs | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/proxmox-backup-client/src/mount.rs b/proxmox-backup-client/src/mount.rs
index fa3385597..e815c8a9c 100644
--- a/proxmox-backup-client/src/mount.rs
+++ b/proxmox-backup-client/src/mount.rs
@@ -2,7 +2,7 @@ use std::collections::HashMap;
 use std::ffi::OsStr;
 use std::hash::BuildHasher;
 use std::os::unix::io::{AsRawFd, OwnedFd};
-use std::path::{Path, PathBuf};
+use std::path::Path;
 use std::sync::Arc;
 
 use anyhow::{bail, format_err, Error};
@@ -18,11 +18,13 @@ use proxmox_schema::*;
 use proxmox_sortable_macro::sortable;
 
 use pbs_api_types::{ArchiveType, BackupArchiveName, BackupNamespace};
-use pbs_client::tools::key_source::get_encryption_key_password;
+use pbs_client::tools::key_source::{
+    crypto_parameters, format_key_source, get_encryption_key_password,
+};
 use pbs_client::{BackupReader, RemoteChunkReader};
 use pbs_datastore::cached_chunk_reader::CachedChunkReader;
 use pbs_datastore::index::IndexFile;
-use pbs_key_config::load_and_decrypt_key;
+use pbs_key_config::decrypt_key;
 use pbs_tools::crypt_config::CryptConfig;
 use pbs_tools::json::required_string_param;
 
@@ -208,14 +210,16 @@ async fn mount_do(param: Value, pipe: Option<OwnedFd>) -> Result<Value, Error> {
     let path = required_string_param(&param, "snapshot")?;
     let backup_dir = dir_or_last_from_group(&client, &repo, &backup_ns, path).await?;
 
-    let keyfile = param["keyfile"].as_str().map(PathBuf::from);
-    let crypt_config = match keyfile {
+    let crypto = crypto_parameters(&param)?;
+
+    let crypt_config = match crypto.enc_key {
         None => None,
-        Some(path) => {
-            log::info!("Encryption key file: '{:?}'", path);
-            let (key, _, fingerprint) = load_and_decrypt_key(&path, &get_encryption_key_password)?;
-            log::info!("Encryption key fingerprint: '{}'", fingerprint);
-            Some(Arc::new(CryptConfig::new(key)?))
+        Some(key) => {
+            log::info!("{}", format_key_source(&key.source, "encryption"));
+            let (key, _created, fingerprint) = decrypt_key(&key.key, &get_encryption_key_password)?;
+            log::info!("Encryption key fingerprint: '{fingerprint}'");
+            let crypt_config = CryptConfig::new(key)?;
+            Some(Arc::new(crypt_config))
         }
     };
 
-- 
2.47.3



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel