From: Christian Ebner <c.ebner@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox-backup 20/20] sync: pull: decrypt snapshots with matching encryption key fingerprint
Date: Wed, 1 Apr 2026 09:55:21 +0200 [thread overview]
Message-ID: <20260401075521.176354-21-c.ebner@proxmox.com> (raw)
In-Reply-To: <20260401075521.176354-1-c.ebner@proxmox.com>
Decrypt any backup snapshot during pull which was encrypted with a
matching encryption key. Matching of keys is performed by comparing
the fingerprint of the key as stored in the source manifest and the
key configured for the pull sync jobs.
If matching, pass along the key's crypto config to the index and chunk
readers and write the local files unencrypted instead of simply
downloading them. A new manifest file is written instead of the
original one and files registered accordingly.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
src/server/pull.rs | 78 ++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 76 insertions(+), 2 deletions(-)
diff --git a/src/server/pull.rs b/src/server/pull.rs
index 05152d0dd..22b058056 100644
--- a/src/server/pull.rs
+++ b/src/server/pull.rs
@@ -3,6 +3,7 @@
use std::collections::hash_map::Entry;
use std::collections::{HashMap, HashSet};
use std::io::{BufReader, Read, Seek, Write};
+use std::os::fd::AsRawFd;
use std::sync::atomic::{AtomicU64, AtomicUsize, Ordering};
use std::sync::{Arc, Mutex};
use std::time::SystemTime;
@@ -10,11 +11,14 @@ use std::time::SystemTime;
use anyhow::{bail, format_err, Context, Error};
use pbs_tools::crypt_config::CryptConfig;
use proxmox_human_byte::HumanByte;
+use serde_json::Value;
+use tokio::fs::OpenOptions;
+use tokio::io::AsyncWriteExt;
use tracing::{info, warn};
use pbs_api_types::{
print_store_and_ns, ArchiveType, Authid, BackupArchiveName, BackupDir, BackupGroup,
- BackupNamespace, GroupFilter, Operation, RateLimitConfig, Remote, SnapshotListItem,
+ BackupNamespace, CryptMode, GroupFilter, Operation, RateLimitConfig, Remote, SnapshotListItem,
VerifyState, CLIENT_LOG_BLOB_NAME, MANIFEST_BLOB_NAME, MAX_NAMESPACE_DEPTH,
PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_BACKUP,
};
@@ -397,6 +401,7 @@ async fn pull_single_archive<'a>(
encountered_chunks: Arc<Mutex<EncounteredChunks>>,
crypt_config: Option<Arc<CryptConfig>>,
backend: &DatastoreBackend,
+ new_manifest: Option<Arc<Mutex<BackupManifest>>>,
) -> Result<SyncStats, Error> {
let archive_name = &archive_info.filename;
let mut path = snapshot.full_path();
@@ -446,6 +451,17 @@ async fn pull_single_archive<'a>(
// Overwrite current tmp file so it will be persisted instead
std::fs::rename(&path, &tmp_path)?;
+
+ if let Some(new_manifest) = new_manifest {
+ let name = archive_name.as_str().try_into()?;
+ // size is indetical to original, encrypted index
+ new_manifest.lock().unwrap().add_file(
+ &name,
+ size,
+ csum,
+ CryptMode::None,
+ )?;
+ }
}
sync_stats.add(stats);
@@ -484,6 +500,17 @@ async fn pull_single_archive<'a>(
// Overwrite current tmp file so it will be persisted instead
std::fs::rename(&path, &tmp_path)?;
+
+ if let Some(new_manifest) = new_manifest {
+ let name = archive_name.as_str().try_into()?;
+ // size is indetical to original, encrypted index
+ new_manifest.lock().unwrap().add_file(
+ &name,
+ size,
+ csum,
+ CryptMode::None,
+ )?;
+ }
}
sync_stats.add(stats);
@@ -522,6 +549,14 @@ async fn pull_single_archive<'a>(
decrypted_tmpfile.rewind()?;
let (csum, size) = sha256(&mut decrypted_tmpfile)?;
+ if let Some(new_manifest) = new_manifest {
+ let mut new_manifest = new_manifest.lock().unwrap();
+ let name = archive_name.as_str().try_into()?;
+ new_manifest.add_file(&name, size, csum, CryptMode::None)?;
+ }
+
+ nix::unistd::fsync(decrypted_tmpfile.as_raw_fd())?;
+
std::fs::rename(&decrypted_tmp_path, &tmp_path)?;
Ok::<(), Error>(())
@@ -607,9 +642,11 @@ async fn pull_snapshot<'a>(
let _ = std::fs::remove_file(&tmp_manifest_name);
return Ok(sync_stats); // nothing changed
}
+ // redownload also in case of encrypted, even if key would match as cannot
+ // fully verify otherwise due to file checksum mismatches.
}
- let manifest_data = tmp_manifest_blob.raw_data().to_vec();
+ let mut manifest_data = tmp_manifest_blob.raw_data().to_vec();
let manifest = BackupManifest::try_from(tmp_manifest_blob)?;
if ignore_not_verified_or_encrypted(
@@ -629,6 +666,16 @@ async fn pull_snapshot<'a>(
}
let mut crypt_config = None;
+ let mut new_manifest = None;
+ if let Ok(Some(source_fingerprint)) = manifest.fingerprint() {
+ if let Some(config) = ¶ms.crypt_config {
+ if config.fingerprint() == *source_fingerprint.bytes() {
+ crypt_config = Some(Arc::clone(config));
+ new_manifest = Some(Arc::new(Mutex::new(BackupManifest::new(snapshot.into()))));
+ info!("Found matching key fingerprint {source_fingerprint}, decrypt on pull");
+ }
+ }
+ }
let backend = ¶ms.target.backend;
for item in manifest.files() {
@@ -678,11 +725,38 @@ async fn pull_snapshot<'a>(
encountered_chunks.clone(),
crypt_config.clone(),
backend,
+ new_manifest.clone(),
)
.await?;
sync_stats.add(stats);
}
+ if let Some(new_manifest) = new_manifest {
+ let mut new_manifest = Arc::try_unwrap(new_manifest)
+ .map_err(|_arc| {
+ format_err!("failed to take ownership of still referenced new manifest")
+ })?
+ .into_inner()
+ .unwrap();
+
+ // copy over notes ecc, but drop encryption key fingerprint
+ new_manifest.unprotected = manifest.unprotected.clone();
+ new_manifest.unprotected["key-fingerprint"] = Value::Null;
+
+ let manifest_string = new_manifest.to_string(None)?;
+ let manifest_blob = DataBlob::encode(manifest_string.as_bytes(), None, true)?;
+ // update contents to be uploaded to backend
+ manifest_data = manifest_blob.raw_data().to_vec();
+
+ let mut tmp_manifest_file = OpenOptions::new()
+ .write(true)
+ .truncate(true) // clear pre-existing manifest content
+ .open(&tmp_manifest_name)
+ .await?;
+ tmp_manifest_file.write_all(&manifest_data).await?;
+ tmp_manifest_file.flush().await?;
+ }
+
if let Err(err) = std::fs::rename(&tmp_manifest_name, &manifest_name) {
bail!("Atomic rename file {:?} failed - {}", manifest_name, err);
}
--
2.47.3
next prev parent reply other threads:[~2026-04-01 7:55 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-01 7:55 [PATCH proxmox{,-backup} 00/20] fix #7251: implement server side encryption support for push sync jobs Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox 01/20] pbs-api-types: define encryption key type and schema Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox 02/20] pbs-api-types: sync job: add optional encryption key to config Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 03/20] pbs-key-config: introduce store_with() for KeyConfig Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 04/20] pbs-config: implement encryption key config handling Christian Ebner
2026-04-01 23:27 ` Thomas Lamprecht
2026-04-02 7:09 ` Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 05/20] pbs-config: acls: add 'encryption-keys' as valid 'system' subpath Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 06/20] ui: expose 'encryption-keys' as acl subpath for 'system' Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 07/20] api: config: add endpoints for encryption key manipulation Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 08/20] api: config: allow encryption key manipulation for sync job Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 09/20] sync: push: rewrite manifest instead of pushing pre-existing one Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 10/20] sync: add helper to check encryption key acls and load key Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 11/20] fix #7251: api: push: encrypt snapshots using configured encryption key Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 12/20] ui: define and expose encryption key management menu item and windows Christian Ebner
2026-04-01 23:09 ` Thomas Lamprecht
2026-04-03 8:35 ` Dominik Csapak
2026-04-01 23:10 ` Thomas Lamprecht
2026-04-03 12:16 ` Dominik Csapak
2026-04-01 7:55 ` [PATCH proxmox-backup 13/20] ui: expose assigning encryption key to sync jobs Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 14/20] sync: pull: load encryption key if given in job config Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 15/20] sync: expand source chunk reader trait by crypt config Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 16/20] sync: pull: introduce and use decrypt index writer if " Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 17/20] sync: pull: extend encountered chunk by optional decrypted digest Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 18/20] sync: pull: decrypt blob files on pull if encryption key is configured Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 19/20] sync: pull: decrypt chunks and rewrite index file for matching key Christian Ebner
2026-04-01 7:55 ` Christian Ebner [this message]
2026-04-02 0:25 ` [PATCH proxmox{,-backup} 00/20] fix #7251: implement server side encryption support for push sync jobs Thomas Lamprecht
2026-04-02 7:37 ` Christian Ebner
2026-04-03 8:39 ` Dominik Csapak
2026-04-03 8:50 ` Christian Ebner
2026-04-03 9:00 ` Dominik Csapak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260401075521.176354-21-c.ebner@proxmox.com \
--to=c.ebner@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.